1NOTE: We are looking for help with a few things: 2 https://github.com/libexpat/libexpat/labels/help%20wanted 3 If you can help, please get in touch. Thanks! 4 5Release 2.2.8 Fri Septemper 13 2019 6 Security fixes: 7 #317 #318 CVE-2019-15903 -- Fix heap overflow triggered by 8 XML_GetCurrentLineNumber (or XML_GetCurrentColumnNumber), 9 and deny internal entities closing the doctype; 10 fixed in commit c20b758c332d9a13afbbb276d30db1d183a85d43 11 12 Bug fixes: 13 #240 Fix cases where XML_StopParser did not have any effect 14 when called from inside of an end element handler 15 #341 xmlwf: Fix exit code for operation without "-d DIRECTORY"; 16 previously, only "-d DIRECTORY" would give you a proper 17 exit code: 18 # xmlwf -d . <<<'<not well-formed>' 2>/dev/null ; echo $? 19 2 20 # xmlwf <<<'<not well-formed>' 2>/dev/null ; echo $? 21 0 22 Now both cases return exit code 2. 23 24 Other changes: 25 #299 #302 Windows: Replace LoadLibrary hack to access 26 unofficial API function SystemFunction036 (RtlGenRandom) 27 by using official API function rand_s (needs WinXP+) 28 #325 Windows: Drop support for Visual Studio <=7.1/2003 29 and document supported compilers in README.md 30 #286 Windows: Remove COM code from xmlwf; in case it turns 31 out needed later, there will be a dedicated repository 32 below https://github.com/libexpat/ for that code 33 #322 Windows: Remove explicit MSVC solution and project files. 34 You can generate Visual Studio solution files through 35 CMake, e.g.: cmake -G"Visual Studio 15 2017" . 36 #338 xmlwf: Make "xmlwf -h" help output more friendly 37 #339 examples: Improve elements.c 38 #244 #264 Autotools: Add argument --enable-xml-attr-info 39 #239 #301 Autotools: Add arguments 40 --with-getrandom 41 --without-getrandom 42 --with-sys-getrandom 43 --without-sys-getrandom 44 #312 #343 Autotools: Fix linking issues with "./configure LD=clang" 45 Autotools: Fix "make run-xmltest" for out-of-source builds 46 #329 #336 CMake: Pull all options from Expat <=2.2.7 into namespace 47 prefix EXPAT_ with the exception of DOCBOOK_TO_MAN: 48 - BUILD_doc -> EXPAT_BUILD_DOCS (plural) 49 - BUILD_examples -> EXPAT_BUILD_EXAMPLES 50 - BUILD_shared -> EXPAT_SHARED_LIBS 51 - BUILD_tests -> EXPAT_BUILD_TESTS 52 - BUILD_tools -> EXPAT_BUILD_TOOLS 53 - DOCBOOK_TO_MAN -> DOCBOOK_TO_MAN (unchanged) 54 - INSTALL -> EXPAT_ENABLE_INSTALL 55 - MSVC_USE_STATIC_CRT -> EXPAT_MSVC_STATIC_CRT 56 - USE_libbsd -> EXPAT_WITH_LIBBSD 57 - WARNINGS_AS_ERRORS -> EXPAT_WARNINGS_AS_ERRORS 58 - XML_CONTEXT_BYTES -> EXPAT_CONTEXT_BYTES 59 - XML_DEV_URANDOM -> EXPAT_DEV_URANDOM 60 - XML_DTD -> EXPAT_DTD 61 - XML_NS -> EXPAT_NS 62 - XML_UNICODE -> EXPAT_CHAR_TYPE=ushort (!) 63 - XML_UNICODE_WCHAR_T -> EXPAT_CHAR_TYPE=wchar_t (!) 64 #244 #264 CMake: Add argument -DEXPAT_ATTR_INFO=(ON|OFF), 65 default OFF 66 #326 CMake: Add argument -DEXPAT_LARGE_SIZE=(ON|OFF), 67 default OFF 68 #328 CMake: Add argument -DEXPAT_MIN_SIZE=(ON|OFF), 69 default OFF 70 #239 #277 CMake: Add arguments 71 -DEXPAT_WITH_GETRANDOM=(ON|OFF|AUTO), default AUTO 72 -DEXPAT_WITH_SYS_GETRANDOM=(ON|OFF|AUTO), default AUTO 73 #326 CMake: Install expat_config.h to include directory 74 #326 CMake: Generate and install configuration files for 75 future find_package(expat [..] CONFIG [..]) 76 CMake: Now produces a summary of applied configuration 77 CMake: Require C++ compiler only when tests are enabled 78 #330 CMake: Fix compilation for 16bit character types, 79 i.e. ex -DXML_UNICODE=ON (and ex -DXML_UNICODE_WCHAR_T=ON) 80 #265 CMake: Fix linking with MinGW 81 #330 CMake: Add full support for MinGW; to enable, use 82 -DCMAKE_TOOLCHAIN_FILE=[expat]/cmake/mingw-toolchain.cmake 83 #330 CMake: Port "make run-xmltest" from GNU Autotools to CMake 84 #316 CMake: Windows: Make binary postfix match MSVC 85 Old: expat[d].lib 86 New: expat[w][d][MD|MT].lib 87 CMake: Migrate files from Windows to Unix line endings 88 #308 CMake: Integrate OSS-Fuzz fuzzers, option 89 -DEXPAT_BUILD_FUZZERS=(ON|OFF), default OFF 90 #14 Drop an OpenVMS support leftover 91 #235 #268 .. 92 #270 #310 .. 93 #313 #331 #333 Address compiler warnings 94 #282 #283 .. 95 #284 #285 Address cppcheck warnings 96 #294 #295 Address Clang Static Analyzer warnings 97 #24 #293 Mass-apply clang-format 9 (and ensure conformance during CI) 98 Version info bumped from 7:9:6 to 7:10:6 99 100 Special thanks to: 101 David Loffredo 102 Joonun Jang 103 Khajapasha Mohammed 104 Kishore Kunche 105 Marco Maggi 106 Mitch Phillips 107 Rolf Ade 108 xantares 109 Zhongyuan Zhou 110 111Release 2.2.7 Wed June 19 2019 112 Security fixes: 113 #186 #262 CVE-2018-20843 -- Fix extraction of namespace prefixes from 114 XML names; XML names with multiple colons could end up in 115 the wrong namespace, and take a high amount of RAM and CPU 116 resources while processing, opening the door to 117 use for denial-of-service attacks 118 119 Other changes: 120 #195 #197 Autotools/CMake: Utilize -fvisibility=hidden to stop 121 exporting non-API symbols 122 #227 Autotools: Add --without-examples and --without-tests 123 #228 Autotools: Modernize configure.ac 124 #245 #246 Autotools: Fix check for -fvisibility=hidden for Clang 125 #247 #248 Autotools: Fix compilation for lack of docbook2x-man 126 #236 #258 Autotools: Produce .tar.{gz,lz,xz} release archives 127 #212 CMake: Make libdir of pkgconfig expat.pc support multilib 128 #158 #263 CMake: Build man page in PROJECT_BINARY_DIR not _SOURCE_DIR 129 #219 Remove fallback to bcopy, assume that memmove(3) exists 130 #257 Use portable "/usr/bin/env bash" shebang (e.g. for OpenBSD) 131 #243 Windows: Fix syntax of .def module definition files 132 Version info bumped from 7:8:6 to 7:9:6 133 134 Special thanks to: 135 Benjamin Peterson 136 Caolán McNamara 137 Hanno Böck 138 KangLin 139 Kishore Kunche 140 Marco Maggi 141 Rhodri James 142 Sebastian Dröge 143 userwithuid 144 Yury Gribov 145 146Release 2.2.6 Sun August 12 2018 147 Bug fixes: 148 #170 #206 Avoid doing arithmetic with NULL pointers in XML_GetBuffer 149 #204 #205 Fix 2.2.5 regression with suspend-resume while parsing 150 a document like '<root/>' 151 152 Other changes: 153 #165 #168 Autotools: Fix docbook-related configure syntax error 154 #166 Autotools: Avoid grep option `-q` for Solaris 155 #167 Autotools: Support 156 ./configure DOCBOOK_TO_MAN="xmlto man --skip-validation" 157 #159 #167 Autotools: Support DOCBOOK_TO_MAN command which produces 158 xmlwf.1 rather than XMLWF.1; also covers case insensitive 159 file systems 160 #181 Autotools: Drop -rpath option passed to libtool 161 #188 Autotools: Detect and deny SGML docbook2man as ours is XML 162 #188 Autotools/CMake: Support command db2x_docbook2man as well 163 #174 CMake: Introduce option WARNINGS_AS_ERRORS, defaults to OFF 164 #184 #185 CMake: Introduce option MSVC_USE_STATIC_CRT, defaults to OFF 165 #207 #208 CMake: Introduce option XML_UNICODE and XML_UNICODE_WCHAR_T, 166 both defaulting to OFF 167 #175 CMake: Prefer check_symbol_exists over check_function_exists 168 #176 CMake: Create the same pkg-config file as with GNU Autotools 169 #178 #179 CMake: Use GNUInstallDirs module to set proper defaults for 170 install directories 171 #208 CMake: Utilize expat_config.h.cmake for XML_DEV_URANDOM 172 #180 Windows: Fix compilation of test suite for Visual Studio 2008 173 #131 #173 #202 Address compiler warnings 174 #187 #190 #200 Fix miscellaneous typos 175 Version info bumped from 7:7:6 to 7:8:6 176 177 Special thanks to: 178 Anton Maklakov 179 Benjamin Peterson 180 Brad King 181 Franek Korta 182 Frank Rast 183 Joe Orton 184 luzpaz 185 Pedro Vicente 186 Rainer Jung 187 Rhodri James 188 Rolf Ade 189 Rolf Eike Beer 190 Thomas Beutlich 191 Tomasz Kłoczko 192 193Release 2.2.5 Tue October 31 2017 194 Bug fixes: 195 #8 If the parser runs out of memory, make sure its internal 196 state reflects the memory it actually has, not the memory 197 it wanted to have. 198 #11 The default handler wasn't being called when it should for 199 a SYSTEM or PUBLIC doctype if an entity declaration handler 200 was registered. 201 #137 #138 Fix a case of mistakenly reported parsing success where 202 XML_StopParser was called from an element handler 203 #162 Function XML_ErrorString was returning NULL rather than 204 a message for code XML_ERROR_INVALID_ARGUMENT 205 introduced with release 2.2.1 206 207 Other changes: 208 #106 xmlwf: Add argument -N adding notation declarations 209 #75 #106 Test suite: Resolve expected failure cases where xmlwf 210 output was incomplete 211 #127 Windows: Fix test suite compilation 212 #126 #127 Windows: Fix compilation for Visual Studio 2012 213 Windows: Upgrade shipped project files to Visual Studio 2017 214 #33 #132 tests: Mass-fix compilation for XML_UNICODE_WCHAR_T 215 #129 examples: Fix compilation for XML_UNICODE_WCHAR_T 216 #130 benchmark: Fix compilation for XML_UNICODE_WCHAR_T 217 #144 xmlwf: Fix compilation for XML_UNICODE_WCHAR_T; still needs 218 Windows or MinGW for 2-byte wchar_t 219 #9 Address two Clang Static Analyzer false positives 220 #59 Resolve troublesome macros hiding parser struct membership 221 and dereferencing that pointer 222 #6 Resolve superfluous internal malloc/realloc switch 223 #153 #155 Improve docbook2x-man detection 224 #160 Undefine NDEBUG in the test suite (rather than rejecting it) 225 #161 Address compiler warnings 226 Version info bumped from 7:6:6 to 7:7:6 227 228 Special thanks to: 229 Benbuck Nason 230 Hans Wennborg 231 José Gutiérrez de la Concha 232 Pedro Monreal Gonzalez 233 Rhodri James 234 Rolf Ade 235 Stephen Groat 236 and 237 Core Infrastructure Initiative 238 239Release 2.2.4 Sat August 19 2017 240 Bug fixes: 241 #115 Fix copying of partial characters for UTF-8 input 242 243 Other changes: 244 #109 Fix "make check" for non-x86 architectures that default 245 to unsigned type char (-128..127 rather than 0..255) 246 #109 coverage.sh: Cover -funsigned-char 247 Autotools: Introduce --without-xmlwf argument 248 #65 Autotools: Replace handwritten Makefile with GNU Automake 249 #43 CMake: Auto-detect high quality entropy extractors, add new 250 option USE_libbsd=ON to use arc4random_buf of libbsd 251 #74 CMake: Add -fno-strict-aliasing only where supported 252 #114 CMake: Always honor manually set BUILD_* options 253 #114 CMake: Compile man page if docbook2x-man is available, only 254 #117 Include file tests/xmltest.log.expected in source tarball 255 (required for "make run-xmltest") 256 #117 Include (existing) Visual Studio 2013 files in source tarball 257 Improve test suite error output 258 #111 Fix some typos in documentation 259 Version info bumped from 7:5:6 to 7:6:6 260 261 Special thanks to: 262 Jakub Wilk 263 Joe Orton 264 Lin Tian 265 Rolf Eike Beer 266 267Release 2.2.3 Wed August 2 2017 268 Security fixes: 269 #82 CVE-2017-11742 -- Windows: Fix DLL hijacking vulnerability 270 using Steve Holme's LoadLibrary wrapper for/of cURL 271 272 Bug fixes: 273 #85 Fix a dangling pointer issue related to realloc 274 275 Other changes: 276 Increase code coverage 277 #91 Linux: Allow getrandom to fail if nonblocking pool has not 278 yet been initialized and read /dev/urandom then, instead. 279 This is in line with what recent Python does. 280 #81 Pre-10.7/Lion macOS: Support entropy from arc4random 281 #86 Check that a UTF-16 encoding in an XML declaration has the 282 right endianness 283 #4 #5 #7 Recover correctly when some reallocations fail 284 Repair "./configure && make" for systems without any 285 provider of high quality entropy 286 and try reading /dev/urandom on those 287 Ensure that user-defined character encodings have converter 288 functions when they are needed 289 Fix mis-leading description of argument -c in xmlwf.1 290 Rely on macro HAVE_ARC4RANDOM_BUF (rather than __CloudABI__) 291 for CloudABI 292 #100 Fix use of SIPHASH_MAIN in siphash.h 293 #23 Test suite: Fix memory leaks 294 Version info bumped from 7:4:6 to 7:5:6 295 296 Special thanks to: 297 Chanho Park 298 Joe Orton 299 Pascal Cuoq 300 Rhodri James 301 Simon McVittie 302 Vadim Zeitlin 303 Viktor Szakats 304 and 305 Core Infrastructure Initiative 306 307Release 2.2.2 Wed July 12 2017 308 Security fixes: 309 #43 Protect against compilation without any source of high 310 quality entropy enabled, e.g. with CMake build system; 311 commit ff0207e6076e9828e536b8d9cd45c9c92069b895 312 #60 Windows with _UNICODE: 313 Unintended use of LoadLibraryW with a non-wide string 314 resulted in failure to load advapi32.dll and degradation 315 in quality of used entropy when compiled with _UNICODE for 316 Windows; you can launch existing binaries with 317 EXPAT_ENTROPY_DEBUG=1 in the environment to inspect the 318 quality of entropy used during runtime; commits 319 * 95b95032f907ef1cd17ee7a9a1768010a825d61d 320 * 73a5a2e9c081f49f2d775cf7ced864158b68dc80 321 [MOX-006] Fix non-NULL parser parameter validation in XML_Parse; 322 resulted in NULL dereference, previously; 323 commit ac256dafdffc9622ab0dc2c62fcecb0dfcfa71fe 324 325 Bug fixes: 326 #69 Fix improper use of unsigned long long integer literals 327 328 Other changes: 329 #73 Start requiring a C99 compiler 330 #49 Fix "==" Bashism in configure script 331 #50 Fix too eager getrandom detection for Debian GNU/kFreeBSD 332 #52 and macOS 333 #51 Address lack of stdint.h in Visual Studio 2003 to 2008 334 #58 Address compile warnings 335 #68 Fix "./buildconf.sh && ./configure" for some versions 336 of Dash for /bin/sh 337 #72 CMake: Ease use of Expat in context of a parent project 338 with multiple CMakeLists.txt files 339 #72 CMake: Resolve mistaken executable permissions 340 #76 Address compile warning with -DNDEBUG (not recommended!) 341 #77 Address compile warning about macro redefinition 342 343 Special thanks to: 344 Alexander Bluhm 345 Ben Boeckel 346 Cătălin Răceanu 347 Kerin Millar 348 László Böszörményi 349 S. P. Zeidler 350 Segev Finer 351 Václav Slavík 352 Victor Stinner 353 Viktor Szakats 354 and 355 Radically Open Security 356 357Release 2.2.1 Sat June 17 2017 358 Security fixes: 359 CVE-2017-9233 -- External entity infinite loop DoS 360 Details: https://libexpat.github.io/doc/cve-2017-9233/ 361 Commit c4bf96bb51dd2a1b0e185374362ee136fe2c9d7f 362 [MOX-002] CVE-2016-9063 -- Detect integer overflow; commit 363 d4f735b88d9932bd5039df2335eefdd0723dbe20 364 (Fixed version of existing downstream patches!) 365 (SF.net) #539 Fix regression from fix to CVE-2016-0718 cutting off 366 longer tag names; commits 367 * 896b6c1fd3b842f377d1b62135dccf0a579cf65d 368 * af507cef2c93cb8d40062a0abe43a4f4e9158fb2 369 #16 * 0dbbf43fdb20f593ddf4fa1ff67288000dd4a7fd 370 #25 More integer overflow detection (function poolGrow); commits 371 * 810b74e4703dcfdd8f404e3cb177d44684775143 372 * 44178553f3539ce69d34abee77a05e879a7982ac 373 [MOX-002] Detect overflow from len=INT_MAX call to XML_Parse; commits 374 * 4be2cb5afcc018d996f34bbbce6374b7befad47f 375 * 7e5b71b748491b6e459e5c9a1d090820f94544d8 376 [MOX-005] #30 Use high quality entropy for hash initialization: 377 * arc4random_buf on BSD, systems with libbsd 378 (when configured with --with-libbsd), CloudABI 379 * RtlGenRandom on Windows XP / Server 2003 and later 380 * getrandom on Linux 3.17+ 381 In a way, that's still part of CVE-2016-5300. 382 https://github.com/libexpat/libexpat/pull/30/commits 383 [MOX-005] For the low quality entropy extraction fallback code, 384 the parser instance address can no longer leak, commit 385 04ad658bd3079dd15cb60fc67087900f0ff4b083 386 [MOX-003] Prevent use of uninitialised variable; commit 387 [MOX-004] a4dc944f37b664a3ca7199c624a98ee37babdb4b 388 Add missing parameter validation to public API functions 389 and dedicated error code XML_ERROR_INVALID_ARGUMENT: 390 [MOX-006] * NULL checks; commits 391 * d37f74b2b7149a3a95a680c4c4cd2a451a51d60a (merge/many) 392 * 9ed727064b675b7180c98cb3d4f75efba6966681 393 * 6a747c837c50114dfa413994e07c0ba477be4534 394 * Negative length (XML_Parse); commit 395 [MOX-002] 70db8d2538a10f4c022655d6895e4c3e78692e7f 396 [MOX-001] #35 Change hash algorithm to William Ahern's version of SipHash 397 to go further with fixing CVE-2012-0876. 398 https://github.com/libexpat/libexpat/pull/39/commits 399 400 Bug fixes: 401 #32 Fix sharing of hash salt across parsers; 402 relevant where XML_ExternalEntityParserCreate is called 403 prior to XML_Parse, in particular (e.g. FBReader) 404 #28 xmlwf: Auto-disable use of memory-mapping (and parsing 405 as a single chunk) for files larger than ~1 GB (2^30 bytes) 406 rather than failing with error "out of memory" 407 #3 Fix double free after malloc failure in DTD code; commit 408 7ae9c3d3af433cd4defe95234eae7dc8ed15637f 409 #17 Fix memory leak on parser error for unbound XML attribute 410 prefix with new namespaces defined in the same tag; 411 found by Google's OSS-Fuzz; commits 412 * 16f87daae5a16132e479e4f71862128c7a915c73 413 * b47dbc9745932c160893d433220e462bd605f8cd 414 xmlwf on Windows: Add missing calls to CloseHandle 415 416 New features: 417 #30 Introduced environment switch EXPAT_ENTROPY_DEBUG=1 418 for runtime debugging of entropy extraction 419 420 Other changes: 421 Increase code coverage 422 #33 Reject use of XML_UNICODE_WCHAR_T with sizeof(wchar_t) != 2; 423 XML_UNICODE_WCHAR_T was never meant to be used outside 424 of Windows; 4-byte wchar_t is common on Linux 425 (SF.net) #538 Start using -fno-strict-aliasing 426 (SF.net) #540 Support compilation against cloudlibc of CloudABI 427 Allow MinGW cross-compilation 428 (SF.net) #534 CMake: Introduce option "BUILD_doc" (enabled by default) 429 to bypass compilation of the xmlwf.1 man page 430 (SF.net) pr2 CMake: Introduce option "INSTALL" (enabled by default) 431 to bypass installation of expat files 432 CMake: Fix ninja support 433 Autotools: Add parameters --enable-xml-context [COUNT] 434 and --disable-xml-context; default of context of 1024 435 bytes enabled unchanged 436 #14 Drop AmigaOS 4.x code and includes 437 #14 Drop ancient build systems: 438 * Borland C++ Builder 439 * OpenVMS 440 * Open Watcom 441 * Visual Studio 6.0 442 * Pre-X Mac OS (MPW Makefile) 443 If you happen to rely on some of these, please get in 444 touch for joining with maintenance. 445 #10 Move from WIN32 to _WIN32 446 #13 Fix "make run-xmltest" order instability 447 Address compile warnings 448 Bump version info from 7:2:6 to 7:3:6 449 Add AUTHORS file 450 451 Infrastructure: 452 #1 Migrate from SourceForge to GitHub (except downloads): 453 https://github.com/libexpat/ 454 #1 Re-create http://libexpat.org/ project website 455 Start utilizing Travis CI 456 457 Special thanks to: 458 Andy Wang 459 Don Lewis 460 Ed Schouten 461 Karl Waclawek 462 Pascal Cuoq 463 Rhodri James 464 Sergei Nikulov 465 Tobias Taschner 466 Viktor Szakats 467 and 468 Core Infrastructure Initiative 469 Mozilla Foundation (MOSS Track 3: Secure Open Source) 470 Radically Open Security 471 472Release 2.2.0 Tue June 21 2016 473 Security fixes: 474 #537 CVE-2016-0718 -- Fix crash on malformed input 475 CVE-2016-4472 -- Improve insufficient fix to CVE-2015-1283 / 476 CVE-2015-2716 introduced with Expat 2.1.1 477 #499 CVE-2016-5300 -- Use more entropy for hash initialization 478 than the original fix to CVE-2012-0876 479 #519 CVE-2012-6702 -- Resolve troublesome internal call to srand 480 that was introduced with Expat 2.1.0 481 when addressing CVE-2012-0876 (issue #496) 482 483 Bug fixes: 484 Fix uninitialized reads of size 1 485 (e.g. in little2_updatePosition) 486 Fix detection of UTF-8 character boundaries 487 488 Other changes: 489 #532 Fix compilation for Visual Studio 2010 (keyword "C99") 490 Autotools: Resolve use of "$<" to better support bmake 491 Autotools: Add QA script "qa.sh" (and make target "qa") 492 Autotools: Respect CXXFLAGS if given 493 Autotools: Fix "make run-xmltest" 494 Autotools: Have "make run-xmltest" check for expected output 495 p90 CMake: Fix static build (BUILD_shared=OFF) on Windows 496 #536 CMake: Add soversion, support -DNO_SONAME=yes to bypass 497 #323 CMake: Add suffix "d" to differentiate debug from release 498 CMake: Define WIN32 with CMake on Windows 499 Annotate memory allocators for GCC 500 Address all currently known compile warnings 501 Make sure that API symbols remain visible despite 502 -fvisibility=hidden 503 Remove executable flag from source files 504 Resolve COMPILED_FROM_DSP in favor of WIN32 505 506 Special thanks to: 507 Björn Lindahl 508 Christian Heimes 509 Cristian Rodríguez 510 Daniel Krügler 511 Gustavo Grieco 512 Karl Waclawek 513 László Böszörményi 514 Marco Grassi 515 Pascal Cuoq 516 Sergei Nikulov 517 Thomas Beutlich 518 Warren Young 519 Yann Droneaud 520 521Release 2.1.1 Sat March 12 2016 522 Security fixes: 523 #582: CVE-2015-1283 - Multiple integer overflows in XML_GetBuffer 524 525 Bug fixes: 526 #502: Fix potential null pointer dereference 527 #520: Symbol XML_SetHashSalt was not exported 528 Output of "xmlwf -h" was incomplete 529 530 Other changes: 531 #503: Document behavior of calling XML_SetHashSalt with salt 0 532 Minor improvements to man page xmlwf(1) 533 Improvements to the experimental CMake build system 534 libtool now invoked with --verbose 535 536Release 2.1.0 Sat March 24 2012 537 - Security fixes: 538 #2958794: CVE-2012-1148 - Memory leak in poolGrow. 539 #2895533: CVE-2012-1147 - Resource leak in readfilemap.c. 540 #3496608: CVE-2012-0876 - Hash DOS attack. 541 #2894085: CVE-2009-3560 - Buffer over-read and crash in big2_toUtf8(). 542 #1990430: CVE-2009-3720 - Parser crash with special UTF-8 sequences. 543 - Bug Fixes: 544 #1742315: Harmful XML_ParserCreateNS suggestion. 545 #1785430: Expat build fails on linux-amd64 with gcc version>=4.1 -O3. 546 #1983953, 2517952, 2517962, 2649838: 547 Build modifications using autoreconf instead of buildconf.sh. 548 #2815947, #2884086: OBJEXT and EXEEXT support while building. 549 #2517938: xmlwf should return non-zero exit status if not well-formed. 550 #2517946: Wrong statement about XMLDecl in xmlwf.1 and xmlwf.sgml. 551 #2855609: Dangling positionPtr after error. 552 #2990652: CMake support. 553 #3010819: UNEXPECTED_STATE with a trailing "%" in entity value. 554 #3206497: Uninitialized memory returned from XML_Parse. 555 #3287849: make check fails on mingw-w64. 556 - Patches: 557 #1749198: pkg-config support. 558 #3010222: Fix for bug #3010819. 559 #3312568: CMake support. 560 #3446384: Report byte offsets for attr names and values. 561 - New Features / API changes: 562 Added new API member XML_SetHashSalt() that allows setting an initial 563 value (salt) for hash calculations. This is part of the fix for 564 bug #3496608 to randomize hash parameters. 565 When compiled with XML_ATTR_INFO defined, adds new API member 566 XML_GetAttributeInfo() that allows retrieving the byte 567 offsets for attribute names and values (patch #3446384). 568 Added CMake build system. 569 See bug #2990652 and patch #3312568. 570 Added run-benchmark target to Makefile.in - relies on testdata module 571 present in the same relative location as in the repository. 572 573Release 2.0.1 Tue June 5 2007 574 - Fixed bugs #1515266, #1515600: The character data handler's calling 575 of XML_StopParser() was not handled properly; if the parser was 576 stopped and the handler set to NULL, the parser would segfault. 577 - Fixed bug #1690883: Expat failed on EBCDIC systems as it assumed 578 some character constants to be ASCII encoded. 579 - Minor cleanups of the test harness. 580 - Fixed xmlwf bug #1513566: "out of memory" error on file size zero. 581 - Fixed outline.c bug #1543233: missing a final XML_ParserFree() call. 582 - Fixes and improvements for Windows platform: 583 bugs #1409451, #1476160, #1548182, #1602769, #1717322. 584 - Build fixes for various platforms: 585 HP-UX, Tru64, Solaris 9: patch #1437840, bug #1196180. 586 All Unix: #1554618 (refreshed config.sub/config.guess). 587 #1490371, #1613457: support both, DESTDIR and INSTALL_ROOT, 588 without relying on GNU-Make specific features. 589 #1647805: Patched configure.in to work better with Intel compiler. 590 - Fixes to Makefile.in to have make check work correctly: 591 bugs #1408143, #1535603, #1536684. 592 - Added Open Watcom support: patch #1523242. 593 594Release 2.0.0 Wed Jan 11 2006 595 - We no longer use the "check" library for C unit testing; we 596 always use the (partial) internal implementation of the API. 597 - Report XML_NS setting via XML_GetFeatureList(). 598 - Fixed headers for use from C++. 599 - XML_GetCurrentLineNumber() and XML_GetCurrentColumnNumber() 600 now return unsigned integers. 601 - Added XML_LARGE_SIZE switch to enable 64-bit integers for 602 byte indexes and line/column numbers. 603 - Updated to use libtool 1.5.22 (the most recent). 604 - Added support for AmigaOS. 605 - Some mostly minor bug fixes. SF issues include: #1006708, 606 #1021776, #1023646, #1114960, #1156398, #1221160, #1271642. 607 608Release 1.95.8 Fri Jul 23 2004 609 - Major new feature: suspend/resume. Handlers can now request 610 that a parse be suspended for later resumption or aborted 611 altogether. See "Temporarily Stopping Parsing" in the 612 documentation for more details. 613 - Some mostly minor bug fixes, but compilation should no 614 longer generate warnings on most platforms. SF issues 615 include: #827319, #840173, #846309, #888329, #896188, #923913, 616 #928113, #961698, #985192. 617 618Release 1.95.7 Mon Oct 20 2003 619 - Fixed enum XML_Status issue (reported on SourceForge many 620 times), so compilers that are properly picky will be happy. 621 - Introduced an XMLCALL macro to control the calling 622 convention used by the Expat API; this macro should be used 623 to annotate prototypes and definitions of callback 624 implementations in code compiled with a calling convention 625 other than the default convention for the host platform. 626 - Improved ability to build without the configure-generated 627 expat_config.h header. This is useful for applications 628 which embed Expat rather than linking in the library. 629 - Fixed a variety of bugs: see SF issues #458907, #609603, 630 #676844, #679754, #692878, #692964, #695401, #699323, #699487, 631 #820946. 632 - Improved hash table lookups. 633 - Added more regression tests and improved documentation. 634 635Release 1.95.6 Tue Jan 28 2003 636 - Added XML_FreeContentModel(). 637 - Added XML_MemMalloc(), XML_MemRealloc(), XML_MemFree(). 638 - Fixed a variety of bugs: see SF issues #615606, #616863, 639 #618199, #653180, #673791. 640 - Enhanced the regression test suite. 641 - Man page improvements: includes SF issue #632146. 642 643Release 1.95.5 Fri Sep 6 2002 644 - Added XML_UseForeignDTD() for improved SAX2 support. 645 - Added XML_GetFeatureList(). 646 - Defined XML_Bool type and the values XML_TRUE and XML_FALSE. 647 - Use an incomplete struct instead of a void* for the parser 648 (may not retain). 649 - Fixed UTF-8 decoding bug that caused legal UTF-8 to be rejected. 650 - Finally fixed bug where default handler would report DTD 651 events that were already handled by another handler. 652 Initial patch contributed by Darryl Miles. 653 - Removed unnecessary DllMain() function that caused static 654 linking into a DLL to be difficult. 655 - Added VC++ projects for building static libraries. 656 - Reduced line-length for all source code and headers to be 657 no longer than 80 characters, to help with AS/400 support. 658 - Reduced memory copying during parsing (SF patch #600964). 659 - Fixed a variety of bugs: see SF issues #580793, #434664, 660 #483514, #580503, #581069, #584041, #584183, #584832, #585537, 661 #596555, #596678, #598352, #598944, #599715, #600479, #600971. 662 663Release 1.95.4 Fri Jul 12 2002 664 - Added support for VMS, contributed by Craig Berry. See 665 vms/README.vms for more information. 666 - Added Mac OS (classic) support, with a makefile for MPW, 667 contributed by Thomas Wegner and Daryle Walker. 668 - Added Borland C++ Builder 5 / BCC 5.5 support, contributed 669 by Patrick McConnell (SF patch #538032). 670 - Fixed a variety of bugs: see SF issues #441449, #563184, 671 #564342, #566334, #566901, #569461, #570263, #575168, #579196. 672 - Made skippedEntityHandler conform to SAX2 (see source comment) 673 - Re-implemented WFC: Entity Declared from XML 1.0 spec and 674 added a new error "entity declared in parameter entity": 675 see SF bug report #569461 and SF patch #578161 676 - Re-implemented section 5.1 from XML 1.0 spec: 677 see SF bug report #570263 and SF patch #578161 678 679Release 1.95.3 Mon Jun 3 2002 680 - Added a project to the MSVC workspace to create a wchar_t 681 version of the library; the DLLs are named libexpatw.dll. 682 - Changed the name of the Windows DLLs from expat.dll to 683 libexpat.dll; this fixes SF bug #432456. 684 - Added the XML_ParserReset() API function. 685 - Fixed XML_SetReturnNSTriplet() to work for element names. 686 - Made the XML_UNICODE builds usable (thanks, Karl!). 687 - Allow xmlwf to read from standard input. 688 - Install a man page for xmlwf on Unix systems. 689 - Fixed many bugs; see SF bug reports #231864, #461380, #464837, 690 #466885, #469226, #477667, #484419, #487840, #494749, #496505, 691 #547350. Other bugs which we can't test as easily may also 692 have been fixed, especially in the area of build support. 693 694Release 1.95.2 Fri Jul 27 2001 695 - More changes to make MSVC happy with the build; add a single 696 workspace to support both the library and xmlwf application. 697 - Added a Windows installer for Windows users; includes 698 xmlwf.exe. 699 - Added compile-time constants that can be used to determine the 700 Expat version 701 - Removed a lot of GNU-specific dependencies to aide portability 702 among the various Unix flavors. 703 - Fix the UTF-8 BOM bug. 704 - Cleaned up warning messages for several compilers. 705 - Added the -Wall, -Wstrict-prototypes options for GCC. 706 707Release 1.95.1 Sun Oct 22 15:11:36 EDT 2000 708 - Changes to get expat to build under Microsoft compiler 709 - Removed all aborts and instead return an UNEXPECTED_STATE error. 710 - Fixed a bug where a stray '%' in an entity value would cause an 711 abort. 712 - Defined XML_SetEndNamespaceDeclHandler. Thanks to Darryl Miles for 713 finding this oversight. 714 - Changed default patterns in lib/Makefile.in to fit non-GNU makes 715 Thanks to robin@unrated.net for reporting and providing an 716 account to test on. 717 - The reference had the wrong label for XML_SetStartNamespaceDecl. 718 Reported by an anonymous user. 719 720Release 1.95.0 Fri Sep 29 2000 721 - XML_ParserCreate_MM 722 Allows you to set a memory management suite to replace the 723 standard malloc,realloc, and free. 724 - XML_SetReturnNSTriplet 725 If you turn this feature on when namespace processing is in 726 effect, then qualified, prefixed element and attribute names 727 are returned as "uri|name|prefix" where '|' is whatever 728 separator character is used in namespace processing. 729 - Merged in features from perl-expat 730 o XML_SetElementDeclHandler 731 o XML_SetAttlistDeclHandler 732 o XML_SetXmlDeclHandler 733 o XML_SetEntityDeclHandler 734 o StartDoctypeDeclHandler takes 3 additional parameters: 735 sysid, pubid, has_internal_subset 736 o Many paired handler setters (like XML_SetElementHandler) 737 now have corresponding individual handler setters 738 o XML_GetInputContext for getting the input context of 739 the current parse position. 740 - Added reference material 741 - Packaged into a distribution that builds a sharable library 742