File _patchinfo of Package patchinfo.38199

<patchinfo incident="38199">
  <issue tracker="cve" id="2024-8176"/>
  <issue tracker="bnc" id="1239618">VUL-0: CVE-2024-8176: expat: libexpat: expat: Improper Restriction of XML Entity Expansion Depth in libexpat</issue>
  <issue tracker="jsc" id="SLE-21253"/>
  <issue tracker="jsc" id="PED-12500"/>
  <packager>pgajdos</packager>
  <rating>important</rating>
  <category>security</category>
  <summary>Security update for expat</summary>
  <description>This update for expat fixes the following issues:

- CVE-2024-8176: Fixed denial of service from chaining a large number of entities caused
  by stack overflow by resolving use of recursion (bsc#1239618)

Other fixes:
- version update to 2.7.1 (jsc#PED-12500)
     Bug fixes:
       #980 #989  Restore event pointer behavior from Expat 2.6.4
                    (that the fix to CVE-2024-8176 changed in 2.7.0);
                    affected API functions are:
                    - XML_GetCurrentByteCount
                    - XML_GetCurrentByteIndex
                    - XML_GetCurrentColumnNumber
                    - XML_GetCurrentLineNumber
                    - XML_GetInputContext
     Other changes:
       #976 #977  Autotools: Integrate files "fuzz/xml_lpm_fuzzer.{cpp,proto}"
                    with Automake that were missing from 2.7.0 release tarballs
       #983 #984  Fix printf format specifiers for 32bit Emscripten
            #992  docs: Promote OpenSSF Best Practices self-certification
            #978  tests/benchmark: Resolve mistaken double close
            #986  Address compiler warnings
       #990 #993  Version info bumped from 11:1:10 (libexpat*.so.1.10.1)
                    to 11:2:10 (libexpat*.so.1.10.2); see https://verbump.de/
                    for what these numbers do
        Infrastructure:
            #982  CI: Start running Perl XML::Parser integration tests
            #987  CI: Enforce Clang Static Analyzer clean code
            #991  CI: Re-enable warning clang-analyzer-valist.Uninitialized
                    for clang-tidy
            #981  CI: Cover compilation with musl
       #983 #984  CI: Cover compilation with 32bit Emscripten
       #976 #977  CI: Protect against fuzzer files missing from future
                    release archives

- version update to 2.7.0
       #935 #937  Autotools: Make generated CMake files look for
                    libexpat.@SO_MAJOR@.dylib on macOS
            #925  Autotools: Sync CMake templates with CMake 3.29
  #945 #962 #966  CMake: Drop support for CMake &lt;3.13
            #942  CMake: Small fuzzing related improvements
            #921  docs: Add missing documentation of error code
                    XML_ERROR_NOT_STARTED that was introduced with 2.6.4
            #941  docs: Document need for C++11 compiler for use from C++
            #959  tests/benchmark: Fix a (harmless) TOCTTOU
            #944  Windows: Fix installer target location of file xmlwf.xml
                    for CMake
            #953  Windows: Address warning -Wunknown-warning-option
                    about -Wno-pedantic-ms-format from LLVM MinGW
            #971  Address Cppcheck warnings
       #969 #970  Mass-migrate links from http:// to https://
    #947 #958 ..
       #974 #975  Document changes since the previous release
       #974 #975  Version info bumped from 11:0:10 (libexpat*.so.1.10.0)
                    to 11:1:10 (libexpat*.so.1.10.1); see https://verbump.de/
                    for what these numbers do
    - Version info bumped from 9:3:8 to 9:4:8;
      see https://verbump.de/ for what these numbers do
</description>
</patchinfo>