Change History (4)
comment:3 by , 2 weeks ago
| Resolution: | → fixed |
|---|---|
| Status: | new → closed |
Fixed at commit c67516b6a9.
Update to systemd-259.1. Update to shadow-4.19.3. Update to setuptools-81.0.0 (Python module). Update to Python3-3.14.3. Update to procps-ng-4.0.6. Update to linux-6.18.9. Update to gettext-1.0. Update to expat-2.7.4 (Security update). Update to coreutils-9.10.tar.xz.
Note:
See TracTickets
for help on using tickets.
Release 2.7.4 Sat January 31 2026 Security fixes: #1131 CVE-2026-24515 -- Function XML_ExternalEntityParserCreate failed to copy the encoding handler data passed to XML_SetUnknownEncodingHandler from the parent to the new subparser. This can cause a NULL dereference (CWE-476) from external entities that declare use of an unknown encoding. The expected impact is denial of service. It takes use of both functions XML_ExternalEntityParserCreate and XML_SetUnknownEncodingHandler for an application to be vulnerable. #1075 CVE-2026-25210 -- Add missing check for integer overflow related to buffer size determination in function doContent Bug fixes: #1073 lib: Fix missing undoing of group size expansion in doProlog failure cases #1107 xmlwf: Fix a memory leak #1104 WASI: Fix format specifiers for 32bit WASI SDK Other changes: #1105 lib: Fix strict aliasing #1106 lib: Leverage feature "flexible array member" of C99 #1051 lib: Swap (size_t)(-1) for C99 equivalent SIZE_MAX #1109 lib|xmlwf: Return NULL instead of 0 for pointers #1068 lib|Windows: Clean up use of macro _MSC_EXTENSIONS with MSVC #1112 lib: Remove unused import #1110 xmlwf: Warn about XXE in --help output (and man page) #1102 #1103 WASI: Stop using getpid #1113 #1130 Autotools: Drop file expat.m4 that provided obsolete Autoconf macro AM_WITH_EXPAT #1123 Autotools: Limit -Wno-pedantic-ms-format to MinGW #1129 #1134 .. #1087 Autotools|macOS: Sync CMake templates with CMake 4.0 #1139 #1140 Autotools|CMake: Introduce off-by-default symbol versioning The related build system flags are: - For Autotools, configure with --enable-symbol-versioning - For CMake, configure with -DEXPAT_SYMBOL_VERSIONING=ON Please double-check for consequences before activating this inside distro packaging. Bug reports welcome! #1117 Autotools|CMake: Remove libbsd support #1105 Autotools|CMake: Stop using -fno-strict-aliasing, and use -Wstrict-aliasing=3 instead #1124 Autotools|CMake: Prefer command gsed (GNU sed) over sed (e.g. for Solaris) inside fix-xmltest-log.sh #1067 CMake: Detect and warn about unusable check_c_compiler_flag #1137 CMake: Drop support for CMake <3.17 #1138 CMake|Windows: Fix libexpat.def.cmake version comments #1086 #1110 docs: Add warning about external reference handlers and XXE #1066 docs: Be explicit that parent parsers need to outlive subparsers #1089 .. #1090 #1091 .. #1092 #1093 .. #1094 #1098 .. #1115 #1116 docs: Misc non-content improvements to doc/reference.html #1132 #1133 Version info bumped from 12:1:11 (libexpat*.so.1.11.1) to 12:2:11 (libexpat*.so.1.11.2); see https://verbump.de/ for what these numbers do Infrastructure: #1119 #1121 Document guidelines for contributing to Expat #1120 Introduce a pull request template #1074 CI: Stop using about-to-be-removed image "macos-13" #1083 #1088 CI: Mitigate random Wine crashes #1104 CI: Cover compilation with WASI SDK #1116 CI: Enforce clean doc XML formatting #1124 .. #1135 #1136 CI: Cover Solaris 11.4 #1125 CI: Extend CI coverage of FreeBSD #1139 #1140 CI: Cover symbol versioning #1114 xmlwf: Reformat helpgen code (using Black 25.12.0) #1071 .gitignore: Add files CPackConfig.cmake and CPackSourceConfig.cmake