Opened 3 weeks ago

Closed 2 weeks ago

Last modified 2 weeks ago

#5855 closed enhancement (fixed)

expat-2.7.4

Reported by: Bruce Dubbs Owned by: lfs-book
Priority: high Milestone: 13.0
Component: Book Version: git
Severity: normal Keywords:
Cc:

Description

New point version.

Change History (4)

comment:1 by Xi Ruoyao, 3 weeks ago

Priority: normalhigh 
Release 2.7.4 Sat January 31 2026
        Security fixes:
           #1131  CVE-2026-24515 -- Function XML_ExternalEntityParserCreate
                    failed to copy the encoding handler data passed to
                    XML_SetUnknownEncodingHandler from the parent to the new
                    subparser. This can cause a NULL dereference (CWE-476) from
                    external entities that declare use of an unknown encoding.
                    The expected impact is denial of service. It takes use of
                    both functions XML_ExternalEntityParserCreate and
                    XML_SetUnknownEncodingHandler for an application to be
                    vulnerable.
           #1075  CVE-2026-25210 -- Add missing check for integer overflow
                    related to buffer size determination in function doContent

        Bug fixes:
           #1073  lib: Fix missing undoing of group size expansion in doProlog
                    failure cases
           #1107  xmlwf: Fix a memory leak
           #1104  WASI: Fix format specifiers for 32bit WASI SDK

        Other changes:
           #1105  lib: Fix strict aliasing
           #1106  lib: Leverage feature "flexible array member" of C99
           #1051  lib: Swap (size_t)(-1) for C99 equivalent SIZE_MAX
           #1109  lib|xmlwf: Return NULL instead of 0 for pointers
           #1068  lib|Windows: Clean up use of macro _MSC_EXTENSIONS with MSVC
           #1112  lib: Remove unused import
           #1110  xmlwf: Warn about XXE in --help output (and man page)
     #1102 #1103  WASI: Stop using getpid
     #1113 #1130  Autotools: Drop file expat.m4 that provided obsolete Autoconf
                    macro AM_WITH_EXPAT
           #1123  Autotools: Limit -Wno-pedantic-ms-format to MinGW
  #1129 #1134 ..
           #1087  Autotools|macOS: Sync CMake templates with CMake 4.0
     #1139 #1140  Autotools|CMake: Introduce off-by-default symbol versioning
                    The related build system flags are:
                    - For Autotools, configure with --enable-symbol-versioning
                    - For CMake, configure with -DEXPAT_SYMBOL_VERSIONING=ON
                    Please double-check for consequences before activating
                    this inside distro packaging. Bug reports welcome!
           #1117  Autotools|CMake: Remove libbsd support
           #1105  Autotools|CMake: Stop using -fno-strict-aliasing, and use
                    -Wstrict-aliasing=3 instead
                    -Wstrict-aliasing=3 instead
           #1124  Autotools|CMake: Prefer command gsed (GNU sed) over sed
                    (e.g. for Solaris) inside fix-xmltest-log.sh
           #1067  CMake: Detect and warn about unusable check_c_compiler_flag
           #1137  CMake: Drop support for CMake <3.17
           #1138  CMake|Windows: Fix libexpat.def.cmake version comments

     #1086 #1110  docs: Add warning about external reference handlers and XXE
           #1066  docs: Be explicit that parent parsers need to outlive
                    subparsers
Version 0, edited 3 weeks ago by Xi Ruoyao (next)

comment:2 by Bruce Dubbs, 3 weeks ago

Milestone: 12.513.0

Milestone renamed

comment:3 by Bruce Dubbs, 2 weeks ago

Resolution: fixed
Status: newclosed

Fixed at commit c67516b6a9. 

Update to systemd-259.1.
Update to shadow-4.19.3.
Update to setuptools-81.0.0 (Python module).
Update to Python3-3.14.3.
Update to procps-ng-4.0.6.
Update to linux-6.18.9.
Update to gettext-1.0.
Update to expat-2.7.4 (Security update).
Update to coreutils-9.10.tar.xz.

comment:4 by Douglas R. Reno, 2 weeks ago

SA-12.4-086 issued.

Note: See TracTickets for help on using tickets.