| 1 | | Security fixes: |
| 2 | | - CVE-2024-8176 -- Fix crash from chaining a large number |
| 3 | | of entities caused by stack overflow by resolving use of |
| 4 | | recursion, for all three uses of entities: |
| 5 | | - general entities in character data ("<e>&g1;</e>") |
| 6 | | - general entities in attribute values ("<e k1='&g1;'/>") |
| 7 | | - parameter entities ("%p1;") |
| 8 | | Known impact is (reliable and easy) denial of service: |
| 9 | | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:H/RL:O/RC:C |
| 10 | | (Base Score: 7.5, Temporal Score: 7.2) |
| 11 | | Please note that a layer of compression around XML can |
| 12 | | significantly reduce the minimum attack payload size. |
| 13 | | |
| 14 | | Other changes: |
| 15 | | - Autotools: Make generated CMake files look for |
| 16 | | libexpat.@SO_MAJOR@.dylib on macOS |
| 17 | | - Autotools: Sync CMake templates with CMake 3.29 |
| 18 | | - CMake: Drop support for CMake <3.13 |
| 19 | | - CMake: Small fuzzing related improvements |
| 20 | | - docs: Add missing documentation of error code |
| 21 | | XML_ERROR_NOT_STARTED that was introduced with 2.6.4 |
| 22 | | - docs: Document need for C++11 compiler for use from C++ |
| 23 | | - tests/benchmark: Fix a (harmless) TOCTTOU |
| 24 | | - Windows: Fix installer target location of file xmlwf.xml |
| 25 | | for CMake |
| 26 | | - Windows: Address warning -Wunknown-warning-option |
| 27 | | about -Wno-pedantic-ms-format from LLVM MinGW |
| 28 | | - Address Cppcheck warnings |
| 29 | | - Mass-migrate links from http:// to https:// |
| 30 | | |
| 31 | | Document changes since the previous release |
| 32 | | - Version info bumped from 11:0:10 (libexpat*.so.1.10.0) |
| 33 | | to 11:1:10 (libexpat*.so.1.10.1); see https://verbump.de/ |
| 34 | | for what these numbers do |
| 35 | | |
| 36 | | Infrastructure: |
| 37 | | - tests: Increase robustness |
| 38 | | - tests: Increase test coverage |
| 39 | | - Fuzzing: Add new fuzzer "xml_lpm_fuzzer" based on |
| 40 | | Google's libprotobuf-mutator ("LPM") |
| 41 | | - Fuzzing|CI: Start producing fuzzing code coverage reports |
| 42 | | - CI: Pass -q -q for LCOV >=2.1 in coverage.sh |
| 43 | | - CI: Small fuzzing related improvements |
| 44 | | - CI: Make GitHub Actions build using MSVC on Windows and |
| 45 | | produce 32bit and 64bit Windows binaries |
| 46 | | - CI: Get off of about-to-be-removed Ubuntu 20.04 |
| 47 | | - CI: Start uploading to Coverity Scan for static analysis |
| 48 | | - CI: Stop loading DTD from the internet to address flaky CI |
| 49 | | - CI: Adapt to breaking changes in Cppcheck |
| | 1 | Deleted. Entered for another package (expat). |
