Overview Repositories Revisions Requests Users Attributes Meta

Revisions of expat

Dominique Leuenberger's avatar Dominique Leuenberger (dimstar_suse) accepted request 956337 from Pedro Monreal Gonzalez's avatar Pedro Monreal Gonzalez (pmonrealgonzalez) (revision 66) 
- update to 2.4.6 (bsc#1196168, CVE-2022-25313):
  * Bug fixes:
    - Fix a regression introduced by the fix for CVE-2022-25313
      in release 2.4.5 that affects applications that (1)
      call function XML_SetElementDeclHandler and (2) are
      parsing XML that contains nested element declarations
      (e.g. "<!ELEMENT junk ((bar|foo|xyz+), zebra*)>").
    - Version info bumped from 9:5:8 to 9:6:8;
      see https://verbump.de/ for what these numbers do.

- update to 2.4.5 (bsc#1196171, bsc#1196169, bsc#1196168, 
  bsc#1196026, bsc#1196025):
    * Security fixes:
      - CVE-2022-25235 -- Passing malformed 2- and 3-byte UTF-8
        sequences (e.g. from start tag names) to the XML
        processing application on top of Expat can cause
        arbitrary damage (e.g. code execution) depending
        on how invalid UTF-8 is handled inside the XML
        processor; validation was not their job but Expat's.
        Exploits with code execution are known to exist.
      - CVE-2022-25236 -- Passing (one or more) namespace separator
        characters in "xmlns[:prefix]" attribute values
        made Expat send malformed tag names to the XML
        processor on top of Expat which can cause
        arbitrary damage (e.g. code execution) depending
        on such unexpectable cases are handled inside the XML
        processor; validation was not their job but Expat's.
        Exploits with code execution are known to exist.
      - CVE-2022-25313 -- Fix stack exhaustion in doctype parsing
        that could be triggered by e.g. a 2 megabytes
Dominique Leuenberger's avatar Dominique Leuenberger (dimstar_suse) accepted request 754751 from Factory Maintainer's avatar Factory Maintainer (factory-maintainer) (revision 59) 
Automatic submission by obs-autosubmit
Dominique Leuenberger's avatar Dominique Leuenberger (dimstar_suse) accepted request 713395 from Tomáš Chvátal's avatar Tomáš Chvátal (scarabeus_iv) (revision 57) 
- Version update to 2.2.7 (CVE-2018-20843, bsc#1139937)
  * Security fixes:
    - CVE-2018-20843 - Fix extraction of namespace prefixes from
      XML names; XML names with multiple colons could end up in
      the wrong namespace, and take a high amount of RAM and CPU
      resources while processing, opening the door to use for
      denial-of-service attacks
  * Other changes:
    - Autotools/CMake: Utilize -fvisibility=hidden to stop
      exporting non-API symbols
    - Autotools: Add --without-examples and --without-tests
    - Autotools: Modernize configure.ac
    - Autotools: Fix check for -fvisibility=hidden for Clang
    - Autotools: Fix compilation for lack of docbook2x-man
    - CMake: Make libdir of pkgconfig expat.pc support multilib
    - CMake: Build man page in PROJECT_BINARY_DIR not _SOURCE_DIR
    - Remove fallback to bcopy, assume that memmove(3) exists
- Removed expat-2.2.6-fix-make-clean.patch
Displaying revisions 1 - 20 of 75
openSUSE Build Service is sponsored by
Places