1NOTE: We are looking for help with a few things: 2 https://github.com/libexpat/libexpat/labels/help%20wanted 3 If you can help, please get in touch. Thanks! 4 5Release 2.4.6 Sun February 20 2022 6 Bug fixes: 7 #566 Fix a regression introduced by the fix for CVE-2022-25313 8 in release 2.4.5 that affects applications that (1) 9 call function XML_SetElementDeclHandler and (2) are 10 parsing XML that contains nested element declarations 11 (e.g. "<!ELEMENT junk ((bar|foo|xyz+), zebra*)>"). 12 13 Other changes: 14 #567 #568 Version info bumped from 9:5:8 to 9:6:8; 15 see https://verbump.de/ for what these numbers do 16 17 Special thanks to: 18 Matt Sergeant 19 Samanta Navarro 20 Sergei Trofimovich 21 and 22 NixOS 23 Perl XML::Parser 24 25Release 2.4.5 Fri February 18 2022 26 Security fixes: 27 #562 CVE-2022-25235 -- Passing malformed 2- and 3-byte UTF-8 28 sequences (e.g. from start tag names) to the XML 29 processing application on top of Expat can cause 30 arbitrary damage (e.g. code execution) depending 31 on how invalid UTF-8 is handled inside the XML 32 processor; validation was not their job but Expat's. 33 Exploits with code execution are known to exist. 34 #561 CVE-2022-25236 -- Passing (one or more) namespace separator 35 characters in "xmlns[:prefix]" attribute values 36 made Expat send malformed tag names to the XML 37 processor on top of Expat which can cause 38 arbitrary damage (e.g. code execution) depending 39 on such unexpectable cases are handled inside the XML 40 processor; validation was not their job but Expat's. 41 Exploits with code execution are known to exist. 42 #558 CVE-2022-25313 -- Fix stack exhaustion in doctype parsing 43 that could be triggered by e.g. a 2 megabytes 44 file with a large number of opening braces. 45 Expected impact is denial of service or potentially 46 arbitrary code execution. 47 #560 CVE-2022-25314 -- Fix integer overflow in function copyString; 48 only affects the encoding name parameter at parser creation 49 time which is often hardcoded (rather than user input), 50 takes a value in the gigabytes to trigger, and a 64-bit 51 machine. Expected impact is denial of service. 52 #559 CVE-2022-25315 -- Fix integer overflow in function storeRawNames; 53 needs input in the gigabytes and a 64-bit machine. 54 Expected impact is denial of service or potentially 55 arbitrary code execution. 56 57 Other changes: 58 #557 #564 Version info bumped from 9:4:8 to 9:5:8; 59 see https://verbump.de/ for what these numbers do 60 61 Special thanks to: 62 Ivan Fratric 63 Samanta Navarro 64 and 65 Google Project Zero 66 JetBrains 67 68Release 2.4.4 Sun January 30 2022 69 Security fixes: 70 #550 CVE-2022-23852 -- Fix signed integer overflow 71 (undefined behavior) in function XML_GetBuffer 72 (that is also called by function XML_Parse internally) 73 for when XML_CONTEXT_BYTES is defined to >0 (which is both 74 common and default). 75 Impact is denial of service or more. 76 #551 CVE-2022-23990 -- Fix unsigned integer overflow in function 77 doProlog triggered by large content in element type 78 declarations when there is an element declaration handler 79 present (from a prior call to XML_SetElementDeclHandler). 80 Impact is denial of service or more. 81 82 Bug fixes: 83 #544 #545 xmlwf: Fix a memory leak on output file opening error 84 85 Other changes: 86 #546 Autotools: Fix broken CMake support under Cygwin 87 #554 Windows: Add missing files to the installer to fix 88 compilation with CMake from installed sources 89 #552 #554 Version info bumped from 9:3:8 to 9:4:8; 90 see https://verbump.de/ for what these numbers do 91 92 Special thanks to: 93 Carlo Bramini 94 hwt0415 95 Roland Illig 96 Samanta Navarro 97 and 98 Clang LeakSan and the Clang team 99 100Release 2.4.3 Sun January 16 2022 101 Security fixes: 102 #531 #534 CVE-2021-45960 -- Fix issues with left shifts by >=29 places 103 resulting in 104 a) realloc acting as free 105 b) realloc allocating too few bytes 106 c) undefined behavior 107 depending on architecture and precise value 108 for XML documents with >=2^27+1 prefixed attributes 109 on a single XML tag a la 110 "<r xmlns:a='[..]' a:a123='[..]' [..] />" 111 where XML_ParserCreateNS is used to create the parser 112 (which needs argument "-n" when running xmlwf). 113 Impact is denial of service, or more. 114 #532 #538 CVE-2021-46143 (ZDI-CAN-16157) -- Fix integer overflow 115 on variable m_groupSize in function doProlog leading 116 to realloc acting as free. 117 Impact is denial of service or more. 118 #539 CVE-2022-22822 to CVE-2022-22827 -- Prevent integer overflows 119 near memory allocation at multiple places. Mitre assigned 120 a dedicated CVE for each involved internal C function: 121 - CVE-2022-22822 for function addBinding 122 - CVE-2022-22823 for function build_model 123 - CVE-2022-22824 for function defineAttribute 124 - CVE-2022-22825 for function lookup 125 - CVE-2022-22826 for function nextScaffoldPart 126 - CVE-2022-22827 for function storeAtts 127 Impact is denial of service or more. 128 129 Other changes: 130 #535 CMake: Make call to file(GENERATE [..]) work for CMake <3.19 131 #541 Autotools|CMake: MinGW: Make run.sh(.in) work for Cygwin 132 and MSYS2 by not going through Wine on these platforms 133 #527 #528 Address compiler warnings 134 #533 #543 Version info bumped from 9:2:8 to 9:3:8; 135 see https://verbump.de/ for what these numbers do 136 137 Infrastructure: 138 #536 CI: Check for realistic minimum CMake version 139 #529 #539 CI: Cover compilation with -m32 140 #529 CI: Store coverage reports as artifacts for download 141 #528 CI: Upgrade Clang from 11 to 13 142 143 Special thanks to: 144 An anonymous whitehat 145 Christopher Degawa 146 J. Peter Mugaas 147 Tyson Smith 148 and 149 GCC Farm Project 150 Trend Micro Zero Day Initiative 151 152Release 2.4.2 Sun December 19 2021 153 Other changes: 154 #509 #510 Link againgst libm for function "isnan" 155 #513 #514 Include expat_config.h as early as possible 156 #498 Autotools: Include files with release archives: 157 - buildconf.sh 158 - fuzz/*.c 159 #507 #519 Autotools: Sync CMake templates 160 #495 #524 CMake: MinGW: Fix pkg-config section "Libs" for 161 - non-release build types (e.g. -DCMAKE_BUILD_TYPE=Debug) 162 - multi-config CMake generators (e.g. Ninja Multi-Config) 163 #502 #503 docs: Document that function XML_GetBuffer may return NULL 164 when asking for a buffer of 0 (zero) bytes size 165 #522 #523 docs: Fix return value docs for both 166 XML_SetBillionLaughsAttackProtection* functions 167 #525 #526 Version info bumped from 9:1:8 to 9:2:8; 168 see https://verbump.de/ for what these numbers do 169 170 Special thanks to: 171 Dong-hee Na 172 Joergen Ibsen 173 Kai Pastor 174 175Release 2.4.1 Sun May 23 2021 176 Bug fixes: 177 #488 #490 Autotools: Fix installed header expat_config.h for multilib 178 systems; regression introduced in 2.4.0 by pull request #486 179 180 Other changes: 181 #491 #492 Version info bumped from 9:0:8 to 9:1:8; 182 see https://verbump.de/ for what these numbers do 183 184 Special thanks to: 185 Gentoo's QA check "multilib_check_headers" 186 187Release 2.4.0 Sun May 23 2021 188 Security fixes: 189 #34 #466 #484 CVE-2013-0340/CWE-776 -- Protect against billion laughs attacks 190 (denial-of-service; flavors targeting CPU time or RAM or both, 191 leveraging general entities or parameter entities or both) 192 by tracking and limiting the input amplification factor 193 (<amplification> := (<direct> + <indirect>) / <direct>). 194 By conservative default, amplification up to a factor of 100.0 195 is tolerated and rejection only starts after 8 MiB of output bytes 196 (=<direct> + <indirect>) have been processed. 197 The fix adds the following to the API: 198 - A new error code XML_ERROR_AMPLIFICATION_LIMIT_BREACH to 199 signals this specific condition. 200 - Two new API functions .. 201 - XML_SetBillionLaughsAttackProtectionMaximumAmplification and 202 - XML_SetBillionLaughsAttackProtectionActivationThreshold 203 .. to further tighten billion laughs protection parameters 204 when desired. Please see file "doc/reference.html" for details. 205 If you ever need to increase the defaults for non-attack XML 206 payload, please file a bug report with libexpat. 207 - Two new XML_FEATURE_* constants .. 208 - that can be queried using the XML_GetFeatureList function, and 209 - that are shown in "xmlwf -v" output. 210 - Two new environment variable switches .. 211 - EXPAT_ACCOUNTING_DEBUG=(0|1|2|3) and 212 - EXPAT_ENTITY_DEBUG=(0|1) 213 .. for runtime debugging of accounting and entity processing. 214 Specific behavior of these values may change in the future. 215 - Two new command line arguments "-a FACTOR" and "-b BYTES" 216 for xmlwf to further tighten billion laughs protection 217 parameters when desired. 218 If you ever need to increase the defaults for non-attack XML 219 payload, please file a bug report with libexpat. 220 221 Bug fixes: 222 #332 #470 For (non-default) compilation with -DEXPAT_MIN_SIZE=ON (CMake) 223 or CPPFLAGS=-DXML_MIN_SIZE (GNU Autotools): Fix segfault 224 for UTF-16 payloads containing CDATA sections. 225 #485 #486 Autotools: Fix generated CMake files for non-64bit and 226 non-Linux platforms (e.g. macOS and MinGW in particular) 227 that were introduced with release 2.3.0 228 229 Other changes: 230 #468 #469 xmlwf: Improve help output and the xmlwf man page 231 #463 xmlwf: Improve maintainability through some refactoring 232 #477 xmlwf: Fix man page DocBook validity 233 #458 #459 CMake: Support absolute paths for both CMAKE_INSTALL_LIBDIR 234 and CMAKE_INSTALL_INCLUDEDIR 235 #471 #481 CMake: Add support for standard variable BUILD_SHARED_LIBS 236 #457 Unexpose symbol _INTERNAL_trim_to_complete_utf8_characters 237 #467 Resolve macro HAVE_EXPAT_CONFIG_H 238 #472 Delete unused legacy helper file "conftools/PrintPath" 239 #473 #483 Improve attribution 240 #464 #465 #477 doc/reference.html: Fix XHTML validity 241 #475 #478 doc/reference.html: Replace the 90s look by OK.css 242 #479 Version info bumped from 8:0:7 to 9:0:8 243 due to addition of new symbols and error codes; 244 see https://verbump.de/ for what these numbers do 245 246 Infrastructure: 247 #456 CI: Enable periodic runs 248 #457 CI: Start covering the list of exported symbols 249 #474 CI: Isolate coverage task 250 #476 #482 CI: Adapt to breaking changes in image "ubuntu-18.04" 251 #477 CI: Cover well-formedness and DocBook/XHTML validity 252 of doc/reference.html and doc/xmlwf.xml 253 254 Special thanks to: 255 Dimitry Andric 256 Eero Helenius 257 Nick Wellnhofer 258 Rhodri James 259 Tomas Korbar 260 Yury Gribov 261 and 262 Clang LeakSan 263 JetBrains 264 OSS-Fuzz 265 266Release 2.3.0 Thu March 25 2021 267 Bug fixes: 268 #438 When calling XML_ParseBuffer without a prior successful call to 269 XML_GetBuffer as a user, no longer trigger undefined behavior 270 (by adding an integer to a NULL pointer) but rather return 271 XML_STATUS_ERROR and set the error code to (new) code 272 XML_ERROR_NO_BUFFER. Found by UBSan (UndefinedBehaviorSanitizer) 273 of Clang 11 (but not Clang 9). 274 #444 xmlwf: Exit status 2 was used for both: 275 - malformed input files (documented) and 276 - invalid command-line arguments (undocumented). 277 The case of invalid command-line arguments now 278 has its own exit status 4, resolving the ambiguity. 279 280 Other changes: 281 #439 xmlwf: Add argument -k to allow continuing after 282 non-fatal errors 283 #439 xmlwf: Add section about exit status to the -h help output 284 #422 #426 #447 Windows: Drop support for Visual Studio <=14.0/2015 285 #434 Windows: CMake: Detect unsupported Visual Studio at 286 configure time (rather than at compile time) 287 #382 #428 testrunner: Make verbose mode (argument "-v") report 288 about passed tests, and make default mode report about 289 failures, as well. 290 #442 CMake: Call "enable_language(CXX)" prior to tinkering 291 with CMAKE_CXX_* variables 292 #448 Document use of libexpat from a CMake-based project 293 #451 Autotools: Install CMake files as generated by CMake 3.19.6 294 so that users with "find_package(expat [..] CONFIG [..])" 295 are served on distributions that are *not* using the CMake 296 build system inside for libexpat packaging 297 #436 #437 Autotools: Drop obsolescent macro AC_HEADER_STDC 298 #450 #452 Autotools: Resolve use of obsolete macro AC_CONFIG_HEADER 299 #441 Address compiler warnings 300 #443 Version info bumped from 7:12:6 to 8:0:7 301 due to addition of error code XML_ERROR_NO_BUFFER 302 (see https://verbump.de/ for what these numbers do) 303 304 Infrastructure: 305 #435 #446 Replace Travis CI by GitHub Actions 306 307 Special thanks to: 308 Alexander Richardson 309 Oleksandr Popovych 310 Thomas Beutlich 311 Tim Bray 312 and 313 Clang LeakSan, Clang 11 UBSan and the Clang team 314 315Release 2.2.10 Sat October 3 2020 316 Bug fixes: 317 #390 #395 #398 Fix undefined behavior during parsing caused by 318 pointer arithmetic with NULL pointers 319 #404 #405 Fix reading uninitialized variable during parsing 320 #406 xmlwf: Add missing check for malloc NULL return 321 322 Other changes: 323 #396 Windows: Drop support for Visual Studio <=8.0/2005 324 #409 Windows: Add missing file "Changes" to the installer 325 to fix compilation with CMake from installed sources 326 #403 xmlwf: Document exit codes in xmlwf manpage and 327 exit with code 3 (rather than code 1) for output errors 328 when used with "-d DIRECTORY" 329 #356 #359 MinGW: Provide declaration of rand_s for mingwrt <5.3.0 330 #383 #392 Autotools: Use -Werror while configure tests the compiler 331 for supported compile flags to avoid false positives 332 #383 #393 #394 Autotools: Improve handling of user (C|CPP|CXX|LD)FLAGS, 333 e.g. ensure that they have the last word over flags added 334 while running ./configure 335 #360 CMake: Create libexpatw.{dll,so} and expatw.pc (with emphasis 336 on suffix "w") with -DEXPAT_CHAR_TYPE=(ushort|wchar_t) 337 #360 CMake: Detect and deny unsupported build combinations 338 involving -DEXPAT_CHAR_TYPE=(ushort|wchar_t) 339 #360 CMake: Install pre-compiled shipped xmlwf.1 manpage in case 340 of -DEXPAT_BUILD_DOCS=OFF 341 #375 #380 #419 CMake: Fix use of Expat by means of add_subdirectory 342 #407 #408 CMake: Keep expat target name constant at "expat" 343 (i.e. refrain from using the target name to control 344 build artifact filenames) 345 #385 CMake: Fix compilation with -DEXPAT_SHARED_LIBS=OFF for 346 Windows 347 CMake: Expose man page compilation as target "xmlwf-manpage" 348 #413 #414 CMake: Introduce option EXPAT_BUILD_PKGCONFIG 349 to control generation of pkg-config file "expat.pc" 350 #424 CMake: Add minimalistic support for building binary packages 351 with CMake target "package"; based on CPack 352 #366 CMake: Add option -DEXPAT_OSSFUZZ_BUILD=(ON|OFF) with 353 default OFF to build fuzzer code against OSS-Fuzz and 354 related environment variable LIB_FUZZING_ENGINE 355 #354 Fix testsuite for -DEXPAT_DTD=OFF and -DEXPAT_NS=OFF, each 356 #354 #355 .. 357 #356 #412 Address compiler warnings 358 #368 #369 Address pngcheck warnings with doc/*.png images 359 #425 Version info bumped from 7:11:6 to 7:12:6 360 361 Special thanks to: 362 asavah 363 Ben Wagner 364 Bhargava Shastry 365 Frank Landgraf 366 Jeffrey Walton 367 Joe Orton 368 Kleber Tarcísio 369 Ma Lin 370 Maciej Sroczyński 371 Mohammed Khajapasha 372 Vadim Zeitlin 373 and 374 Cppcheck 2.0 and the Cppcheck team 375 376Release 2.2.9 Wed September 25 2019 377 Other changes: 378 examples: Drop executable bits from elements.c 379 #349 Windows: Change the name of the Windows DLLs from expat*.dll 380 to libexpat*.dll once more (regression from 2.2.8, first 381 fixed in 1.95.3, issue #61 on SourceForge today, 382 was issue #432456 back then); needs a fix due 383 case-insensitive file systems on Windows and the fact that 384 Perl's XML::Parser::Expat compiles into Expat.dll. 385 #347 Windows: Only define _CRT_RAND_S if not defined 386 Version info bumped from 7:10:6 to 7:11:6 387 388 Special thanks to: 389 Ben Wagner 390 391Release 2.2.8 Fri September 13 2019 392 Security fixes: 393 #317 #318 CVE-2019-15903 -- Fix heap overflow triggered by 394 XML_GetCurrentLineNumber (or XML_GetCurrentColumnNumber), 395 and deny internal entities closing the doctype; 396 fixed in commit c20b758c332d9a13afbbb276d30db1d183a85d43 397 398 Bug fixes: 399 #240 Fix cases where XML_StopParser did not have any effect 400 when called from inside of an end element handler 401 #341 xmlwf: Fix exit code for operation without "-d DIRECTORY"; 402 previously, only "-d DIRECTORY" would give you a proper 403 exit code: 404 # xmlwf -d . <<<'<not well-formed>' 2>/dev/null ; echo $? 405 2 406 # xmlwf <<<'<not well-formed>' 2>/dev/null ; echo $? 407 0 408 Now both cases return exit code 2. 409 410 Other changes: 411 #299 #302 Windows: Replace LoadLibrary hack to access 412 unofficial API function SystemFunction036 (RtlGenRandom) 413 by using official API function rand_s (needs WinXP+) 414 #325 Windows: Drop support for Visual Studio <=7.1/2003 415 and document supported compilers in README.md 416 #286 Windows: Remove COM code from xmlwf; in case it turns 417 out needed later, there will be a dedicated repository 418 below https://github.com/libexpat/ for that code 419 #322 Windows: Remove explicit MSVC solution and project files. 420 You can generate Visual Studio solution files through 421 CMake, e.g.: cmake -G"Visual Studio 15 2017" . 422 #338 xmlwf: Make "xmlwf -h" help output more friendly 423 #339 examples: Improve elements.c 424 #244 #264 Autotools: Add argument --enable-xml-attr-info 425 #239 #301 Autotools: Add arguments 426 --with-getrandom 427 --without-getrandom 428 --with-sys-getrandom 429 --without-sys-getrandom 430 #312 #343 Autotools: Fix linking issues with "./configure LD=clang" 431 Autotools: Fix "make run-xmltest" for out-of-source builds 432 #329 #336 CMake: Pull all options from Expat <=2.2.7 into namespace 433 prefix EXPAT_ with the exception of DOCBOOK_TO_MAN: 434 - BUILD_doc -> EXPAT_BUILD_DOCS (plural) 435 - BUILD_examples -> EXPAT_BUILD_EXAMPLES 436 - BUILD_shared -> EXPAT_SHARED_LIBS 437 - BUILD_tests -> EXPAT_BUILD_TESTS 438 - BUILD_tools -> EXPAT_BUILD_TOOLS 439 - DOCBOOK_TO_MAN -> DOCBOOK_TO_MAN (unchanged) 440 - INSTALL -> EXPAT_ENABLE_INSTALL 441 - MSVC_USE_STATIC_CRT -> EXPAT_MSVC_STATIC_CRT 442 - USE_libbsd -> EXPAT_WITH_LIBBSD 443 - WARNINGS_AS_ERRORS -> EXPAT_WARNINGS_AS_ERRORS 444 - XML_CONTEXT_BYTES -> EXPAT_CONTEXT_BYTES 445 - XML_DEV_URANDOM -> EXPAT_DEV_URANDOM 446 - XML_DTD -> EXPAT_DTD 447 - XML_NS -> EXPAT_NS 448 - XML_UNICODE -> EXPAT_CHAR_TYPE=ushort (!) 449 - XML_UNICODE_WCHAR_T -> EXPAT_CHAR_TYPE=wchar_t (!) 450 #244 #264 CMake: Add argument -DEXPAT_ATTR_INFO=(ON|OFF), 451 default OFF 452 #326 CMake: Add argument -DEXPAT_LARGE_SIZE=(ON|OFF), 453 default OFF 454 #328 CMake: Add argument -DEXPAT_MIN_SIZE=(ON|OFF), 455 default OFF 456 #239 #277 CMake: Add arguments 457 -DEXPAT_WITH_GETRANDOM=(ON|OFF|AUTO), default AUTO 458 -DEXPAT_WITH_SYS_GETRANDOM=(ON|OFF|AUTO), default AUTO 459 #326 CMake: Install expat_config.h to include directory 460 #326 CMake: Generate and install configuration files for 461 future find_package(expat [..] CONFIG [..]) 462 CMake: Now produces a summary of applied configuration 463 CMake: Require C++ compiler only when tests are enabled 464 #330 CMake: Fix compilation for 16bit character types, 465 i.e. ex -DXML_UNICODE=ON (and ex -DXML_UNICODE_WCHAR_T=ON) 466 #265 CMake: Fix linking with MinGW 467 #330 CMake: Add full support for MinGW; to enable, use 468 -DCMAKE_TOOLCHAIN_FILE=[expat]/cmake/mingw-toolchain.cmake 469 #330 CMake: Port "make run-xmltest" from GNU Autotools to CMake 470 #316 CMake: Windows: Make binary postfix match MSVC 471 Old: expat[d].lib 472 New: expat[w][d][MD|MT].lib 473 CMake: Migrate files from Windows to Unix line endings 474 #308 CMake: Integrate OSS-Fuzz fuzzers, option 475 -DEXPAT_BUILD_FUZZERS=(ON|OFF), default OFF 476 #14 Drop an OpenVMS support leftover 477 #235 #268 .. 478 #270 #310 .. 479 #313 #331 #333 Address compiler warnings 480 #282 #283 .. 481 #284 #285 Address cppcheck warnings 482 #294 #295 Address Clang Static Analyzer warnings 483 #24 #293 Mass-apply clang-format 9 (and ensure conformance during CI) 484 Version info bumped from 7:9:6 to 7:10:6 485 486 Special thanks to: 487 David Loffredo 488 Joonun Jang 489 Kishore Kunche 490 Marco Maggi 491 Mitch Phillips 492 Mohammed Khajapasha 493 Rolf Ade 494 xantares 495 Zhongyuan Zhou 496 497Release 2.2.7 Wed June 19 2019 498 Security fixes: 499 #186 #262 CVE-2018-20843 -- Fix extraction of namespace prefixes from 500 XML names; XML names with multiple colons could end up in 501 the wrong namespace, and take a high amount of RAM and CPU 502 resources while processing, opening the door to 503 use for denial-of-service attacks 504 505 Other changes: 506 #195 #197 Autotools/CMake: Utilize -fvisibility=hidden to stop 507 exporting non-API symbols 508 #227 Autotools: Add --without-examples and --without-tests 509 #228 Autotools: Modernize configure.ac 510 #245 #246 Autotools: Fix check for -fvisibility=hidden for Clang 511 #247 #248 Autotools: Fix compilation for lack of docbook2x-man 512 #236 #258 Autotools: Produce .tar.{gz,lz,xz} release archives 513 #212 CMake: Make libdir of pkgconfig expat.pc support multilib 514 #158 #263 CMake: Build man page in PROJECT_BINARY_DIR not _SOURCE_DIR 515 #219 Remove fallback to bcopy, assume that memmove(3) exists 516 #257 Use portable "/usr/bin/env bash" shebang (e.g. for OpenBSD) 517 #243 Windows: Fix syntax of .def module definition files 518 Version info bumped from 7:8:6 to 7:9:6 519 520 Special thanks to: 521 Benjamin Peterson 522 Caolán McNamara 523 Hanno Böck 524 KangLin 525 Kishore Kunche 526 Marco Maggi 527 Rhodri James 528 Sebastian Dröge 529 userwithuid 530 Yury Gribov 531 532Release 2.2.6 Sun August 12 2018 533 Bug fixes: 534 #170 #206 Avoid doing arithmetic with NULL pointers in XML_GetBuffer 535 #204 #205 Fix 2.2.5 regression with suspend-resume while parsing 536 a document like '<root/>' 537 538 Other changes: 539 #165 #168 Autotools: Fix docbook-related configure syntax error 540 #166 Autotools: Avoid grep option `-q` for Solaris 541 #167 Autotools: Support 542 ./configure DOCBOOK_TO_MAN="xmlto man --skip-validation" 543 #159 #167 Autotools: Support DOCBOOK_TO_MAN command which produces 544 xmlwf.1 rather than XMLWF.1; also covers case insensitive 545 file systems 546 #181 Autotools: Drop -rpath option passed to libtool 547 #188 Autotools: Detect and deny SGML docbook2man as ours is XML 548 #188 Autotools/CMake: Support command db2x_docbook2man as well 549 #174 CMake: Introduce option WARNINGS_AS_ERRORS, defaults to OFF 550 #184 #185 CMake: Introduce option MSVC_USE_STATIC_CRT, defaults to OFF 551 #207 #208 CMake: Introduce option XML_UNICODE and XML_UNICODE_WCHAR_T, 552 both defaulting to OFF 553 #175 CMake: Prefer check_symbol_exists over check_function_exists 554 #176 CMake: Create the same pkg-config file as with GNU Autotools 555 #178 #179 CMake: Use GNUInstallDirs module to set proper defaults for 556 install directories 557 #208 CMake: Utilize expat_config.h.cmake for XML_DEV_URANDOM 558 #180 Windows: Fix compilation of test suite for Visual Studio 2008 559 #131 #173 #202 Address compiler warnings 560 #187 #190 #200 Fix miscellaneous typos 561 Version info bumped from 7:7:6 to 7:8:6 562 563 Special thanks to: 564 Anton Maklakov 565 Benjamin Peterson 566 Brad King 567 Franek Korta 568 Frank Rast 569 Joe Orton 570 luzpaz 571 Pedro Vicente 572 Rainer Jung 573 Rhodri James 574 Rolf Ade 575 Rolf Eike Beer 576 Thomas Beutlich 577 Tomasz Kłoczko 578 579Release 2.2.5 Tue October 31 2017 580 Bug fixes: 581 #8 If the parser runs out of memory, make sure its internal 582 state reflects the memory it actually has, not the memory 583 it wanted to have. 584 #11 The default handler wasn't being called when it should for 585 a SYSTEM or PUBLIC doctype if an entity declaration handler 586 was registered. 587 #137 #138 Fix a case of mistakenly reported parsing success where 588 XML_StopParser was called from an element handler 589 #162 Function XML_ErrorString was returning NULL rather than 590 a message for code XML_ERROR_INVALID_ARGUMENT 591 introduced with release 2.2.1 592 593 Other changes: 594 #106 xmlwf: Add argument -N adding notation declarations 595 #75 #106 Test suite: Resolve expected failure cases where xmlwf 596 output was incomplete 597 #127 Windows: Fix test suite compilation 598 #126 #127 Windows: Fix compilation for Visual Studio 2012 599 Windows: Upgrade shipped project files to Visual Studio 2017 600 #33 #132 tests: Mass-fix compilation for XML_UNICODE_WCHAR_T 601 #129 examples: Fix compilation for XML_UNICODE_WCHAR_T 602 #130 benchmark: Fix compilation for XML_UNICODE_WCHAR_T 603 #144 xmlwf: Fix compilation for XML_UNICODE_WCHAR_T; still needs 604 Windows or MinGW for 2-byte wchar_t 605 #9 Address two Clang Static Analyzer false positives 606 #59 Resolve troublesome macros hiding parser struct membership 607 and dereferencing that pointer 608 #6 Resolve superfluous internal malloc/realloc switch 609 #153 #155 Improve docbook2x-man detection 610 #160 Undefine NDEBUG in the test suite (rather than rejecting it) 611 #161 Address compiler warnings 612 Version info bumped from 7:6:6 to 7:7:6 613 614 Special thanks to: 615 Benbuck Nason 616 Hans Wennborg 617 José Gutiérrez de la Concha 618 Pedro Monreal Gonzalez 619 Rhodri James 620 Rolf Ade 621 Stephen Groat 622 and 623 Core Infrastructure Initiative 624 625Release 2.2.4 Sat August 19 2017 626 Bug fixes: 627 #115 Fix copying of partial characters for UTF-8 input 628 629 Other changes: 630 #109 Fix "make check" for non-x86 architectures that default 631 to unsigned type char (-128..127 rather than 0..255) 632 #109 coverage.sh: Cover -funsigned-char 633 Autotools: Introduce --without-xmlwf argument 634 #65 Autotools: Replace handwritten Makefile with GNU Automake 635 #43 CMake: Auto-detect high quality entropy extractors, add new 636 option USE_libbsd=ON to use arc4random_buf of libbsd 637 #74 CMake: Add -fno-strict-aliasing only where supported 638 #114 CMake: Always honor manually set BUILD_* options 639 #114 CMake: Compile man page if docbook2x-man is available, only 640 #117 Include file tests/xmltest.log.expected in source tarball 641 (required for "make run-xmltest") 642 #117 Include (existing) Visual Studio 2013 files in source tarball 643 Improve test suite error output 644 #111 Fix some typos in documentation 645 Version info bumped from 7:5:6 to 7:6:6 646 647 Special thanks to: 648 Jakub Wilk 649 Joe Orton 650 Lin Tian 651 Rolf Eike Beer 652 653Release 2.2.3 Wed August 2 2017 654 Security fixes: 655 #82 CVE-2017-11742 -- Windows: Fix DLL hijacking vulnerability 656 using Steve Holme's LoadLibrary wrapper for/of cURL 657 658 Bug fixes: 659 #85 Fix a dangling pointer issue related to realloc 660 661 Other changes: 662 Increase code coverage 663 #91 Linux: Allow getrandom to fail if nonblocking pool has not 664 yet been initialized and read /dev/urandom then, instead. 665 This is in line with what recent Python does. 666 #81 Pre-10.7/Lion macOS: Support entropy from arc4random 667 #86 Check that a UTF-16 encoding in an XML declaration has the 668 right endianness 669 #4 #5 #7 Recover correctly when some reallocations fail 670 Repair "./configure && make" for systems without any 671 provider of high quality entropy 672 and try reading /dev/urandom on those 673 Ensure that user-defined character encodings have converter 674 functions when they are needed 675 Fix mis-leading description of argument -c in xmlwf.1 676 Rely on macro HAVE_ARC4RANDOM_BUF (rather than __CloudABI__) 677 for CloudABI 678 #100 Fix use of SIPHASH_MAIN in siphash.h 679 #23 Test suite: Fix memory leaks 680 Version info bumped from 7:4:6 to 7:5:6 681 682 Special thanks to: 683 Chanho Park 684 Joe Orton 685 Pascal Cuoq 686 Rhodri James 687 Simon McVittie 688 Vadim Zeitlin 689 Viktor Szakats 690 and 691 Core Infrastructure Initiative 692 693Release 2.2.2 Wed July 12 2017 694 Security fixes: 695 #43 Protect against compilation without any source of high 696 quality entropy enabled, e.g. with CMake build system; 697 commit ff0207e6076e9828e536b8d9cd45c9c92069b895 698 #60 Windows with _UNICODE: 699 Unintended use of LoadLibraryW with a non-wide string 700 resulted in failure to load advapi32.dll and degradation 701 in quality of used entropy when compiled with _UNICODE for 702 Windows; you can launch existing binaries with 703 EXPAT_ENTROPY_DEBUG=1 in the environment to inspect the 704 quality of entropy used during runtime; commits 705 * 95b95032f907ef1cd17ee7a9a1768010a825d61d 706 * 73a5a2e9c081f49f2d775cf7ced864158b68dc80 707 [MOX-006] Fix non-NULL parser parameter validation in XML_Parse; 708 resulted in NULL dereference, previously; 709 commit ac256dafdffc9622ab0dc2c62fcecb0dfcfa71fe 710 711 Bug fixes: 712 #69 Fix improper use of unsigned long long integer literals 713 714 Other changes: 715 #73 Start requiring a C99 compiler 716 #49 Fix "==" Bashism in configure script 717 #50 Fix too eager getrandom detection for Debian GNU/kFreeBSD 718 #52 and macOS 719 #51 Address lack of stdint.h in Visual Studio 2003 to 2008 720 #58 Address compile warnings 721 #68 Fix "./buildconf.sh && ./configure" for some versions 722 of Dash for /bin/sh 723 #72 CMake: Ease use of Expat in context of a parent project 724 with multiple CMakeLists.txt files 725 #72 CMake: Resolve mistaken executable permissions 726 #76 Address compile warning with -DNDEBUG (not recommended!) 727 #77 Address compile warning about macro redefinition 728 729 Special thanks to: 730 Alexander Bluhm 731 Ben Boeckel 732 Cătălin Răceanu 733 Kerin Millar 734 László Böszörményi 735 S. P. Zeidler 736 Segev Finer 737 Václav Slavík 738 Victor Stinner 739 Viktor Szakats 740 and 741 Radically Open Security 742 743Release 2.2.1 Sat June 17 2017 744 Security fixes: 745 CVE-2017-9233 -- External entity infinite loop DoS 746 Details: https://libexpat.github.io/doc/cve-2017-9233/ 747 Commit c4bf96bb51dd2a1b0e185374362ee136fe2c9d7f 748 [MOX-002] CVE-2016-9063 -- Detect integer overflow; commit 749 d4f735b88d9932bd5039df2335eefdd0723dbe20 750 (Fixed version of existing downstream patches!) 751 (SF.net) #539 Fix regression from fix to CVE-2016-0718 cutting off 752 longer tag names; commits 753 * 896b6c1fd3b842f377d1b62135dccf0a579cf65d 754 * af507cef2c93cb8d40062a0abe43a4f4e9158fb2 755 #16 * 0dbbf43fdb20f593ddf4fa1ff67288000dd4a7fd 756 #25 More integer overflow detection (function poolGrow); commits 757 * 810b74e4703dcfdd8f404e3cb177d44684775143 758 * 44178553f3539ce69d34abee77a05e879a7982ac 759 [MOX-002] Detect overflow from len=INT_MAX call to XML_Parse; commits 760 * 4be2cb5afcc018d996f34bbbce6374b7befad47f 761 * 7e5b71b748491b6e459e5c9a1d090820f94544d8 762 [MOX-005] #30 Use high quality entropy for hash initialization: 763 * arc4random_buf on BSD, systems with libbsd 764 (when configured with --with-libbsd), CloudABI 765 * RtlGenRandom on Windows XP / Server 2003 and later 766 * getrandom on Linux 3.17+ 767 In a way, that's still part of CVE-2016-5300. 768 https://github.com/libexpat/libexpat/pull/30/commits 769 [MOX-005] For the low quality entropy extraction fallback code, 770 the parser instance address can no longer leak, commit 771 04ad658bd3079dd15cb60fc67087900f0ff4b083 772 [MOX-003] Prevent use of uninitialised variable; commit 773 [MOX-004] a4dc944f37b664a3ca7199c624a98ee37babdb4b 774 Add missing parameter validation to public API functions 775 and dedicated error code XML_ERROR_INVALID_ARGUMENT: 776 [MOX-006] * NULL checks; commits 777 * d37f74b2b7149a3a95a680c4c4cd2a451a51d60a (merge/many) 778 * 9ed727064b675b7180c98cb3d4f75efba6966681 779 * 6a747c837c50114dfa413994e07c0ba477be4534 780 * Negative length (XML_Parse); commit 781 [MOX-002] 70db8d2538a10f4c022655d6895e4c3e78692e7f 782 [MOX-001] #35 Change hash algorithm to William Ahern's version of SipHash 783 to go further with fixing CVE-2012-0876. 784 https://github.com/libexpat/libexpat/pull/39/commits 785 786 Bug fixes: 787 #32 Fix sharing of hash salt across parsers; 788 relevant where XML_ExternalEntityParserCreate is called 789 prior to XML_Parse, in particular (e.g. FBReader) 790 #28 xmlwf: Auto-disable use of memory-mapping (and parsing 791 as a single chunk) for files larger than ~1 GB (2^30 bytes) 792 rather than failing with error "out of memory" 793 #3 Fix double free after malloc failure in DTD code; commit 794 7ae9c3d3af433cd4defe95234eae7dc8ed15637f 795 #17 Fix memory leak on parser error for unbound XML attribute 796 prefix with new namespaces defined in the same tag; 797 found by Google's OSS-Fuzz; commits 798 * 16f87daae5a16132e479e4f71862128c7a915c73 799 * b47dbc9745932c160893d433220e462bd605f8cd 800 xmlwf on Windows: Add missing calls to CloseHandle 801 802 New features: 803 #30 Introduced environment switch EXPAT_ENTROPY_DEBUG=1 804 for runtime debugging of entropy extraction 805 806 Other changes: 807 Increase code coverage 808 #33 Reject use of XML_UNICODE_WCHAR_T with sizeof(wchar_t) != 2; 809 XML_UNICODE_WCHAR_T was never meant to be used outside 810 of Windows; 4-byte wchar_t is common on Linux 811 (SF.net) #538 Start using -fno-strict-aliasing 812 (SF.net) #540 Support compilation against cloudlibc of CloudABI 813 Allow MinGW cross-compilation 814 (SF.net) #534 CMake: Introduce option "BUILD_doc" (enabled by default) 815 to bypass compilation of the xmlwf.1 man page 816 (SF.net) pr2 CMake: Introduce option "INSTALL" (enabled by default) 817 to bypass installation of expat files 818 CMake: Fix ninja support 819 Autotools: Add parameters --enable-xml-context [COUNT] 820 and --disable-xml-context; default of context of 1024 821 bytes enabled unchanged 822 #14 Drop AmigaOS 4.x code and includes 823 #14 Drop ancient build systems: 824 * Borland C++ Builder 825 * OpenVMS 826 * Open Watcom 827 * Visual Studio 6.0 828 * Pre-X Mac OS (MPW Makefile) 829 If you happen to rely on some of these, please get in 830 touch for joining with maintenance. 831 #10 Move from WIN32 to _WIN32 832 #13 Fix "make run-xmltest" order instability 833 Address compile warnings 834 Bump version info from 7:2:6 to 7:3:6 835 Add AUTHORS file 836 837 Infrastructure: 838 #1 Migrate from SourceForge to GitHub (except downloads): 839 https://github.com/libexpat/ 840 #1 Re-create http://libexpat.org/ project website 841 Start utilizing Travis CI 842 843 Special thanks to: 844 Andy Wang 845 Don Lewis 846 Ed Schouten 847 Karl Waclawek 848 Pascal Cuoq 849 Rhodri James 850 Sergei Nikulov 851 Tobias Taschner 852 Viktor Szakats 853 and 854 Core Infrastructure Initiative 855 Mozilla Foundation (MOSS Track 3: Secure Open Source) 856 Radically Open Security 857 858Release 2.2.0 Tue June 21 2016 859 Security fixes: 860 #537 CVE-2016-0718 -- Fix crash on malformed input 861 CVE-2016-4472 -- Improve insufficient fix to CVE-2015-1283 / 862 CVE-2015-2716 introduced with Expat 2.1.1 863 #499 CVE-2016-5300 -- Use more entropy for hash initialization 864 than the original fix to CVE-2012-0876 865 #519 CVE-2012-6702 -- Resolve troublesome internal call to srand 866 that was introduced with Expat 2.1.0 867 when addressing CVE-2012-0876 (issue #496) 868 869 Bug fixes: 870 Fix uninitialized reads of size 1 871 (e.g. in little2_updatePosition) 872 Fix detection of UTF-8 character boundaries 873 874 Other changes: 875 #532 Fix compilation for Visual Studio 2010 (keyword "C99") 876 Autotools: Resolve use of "$<" to better support bmake 877 Autotools: Add QA script "qa.sh" (and make target "qa") 878 Autotools: Respect CXXFLAGS if given 879 Autotools: Fix "make run-xmltest" 880 Autotools: Have "make run-xmltest" check for expected output 881 p90 CMake: Fix static build (BUILD_shared=OFF) on Windows 882 #536 CMake: Add soversion, support -DNO_SONAME=yes to bypass 883 #323 CMake: Add suffix "d" to differentiate debug from release 884 CMake: Define WIN32 with CMake on Windows 885 Annotate memory allocators for GCC 886 Address all currently known compile warnings 887 Make sure that API symbols remain visible despite 888 -fvisibility=hidden 889 Remove executable flag from source files 890 Resolve COMPILED_FROM_DSP in favor of WIN32 891 892 Special thanks to: 893 Björn Lindahl 894 Christian Heimes 895 Cristian Rodríguez 896 Daniel Krügler 897 Gustavo Grieco 898 Karl Waclawek 899 László Böszörményi 900 Marco Grassi 901 Pascal Cuoq 902 Sergei Nikulov 903 Thomas Beutlich 904 Warren Young 905 Yann Droneaud 906 907Release 2.1.1 Sat March 12 2016 908 Security fixes: 909 #582: CVE-2015-1283 - Multiple integer overflows in XML_GetBuffer 910 911 Bug fixes: 912 #502: Fix potential null pointer dereference 913 #520: Symbol XML_SetHashSalt was not exported 914 Output of "xmlwf -h" was incomplete 915 916 Other changes: 917 #503: Document behavior of calling XML_SetHashSalt with salt 0 918 Minor improvements to man page xmlwf(1) 919 Improvements to the experimental CMake build system 920 libtool now invoked with --verbose 921 922Release 2.1.0 Sat March 24 2012 923 - Security fixes: 924 #2958794: CVE-2012-1148 - Memory leak in poolGrow. 925 #2895533: CVE-2012-1147 - Resource leak in readfilemap.c. 926 #3496608: CVE-2012-0876 - Hash DOS attack. 927 #2894085: CVE-2009-3560 - Buffer over-read and crash in big2_toUtf8(). 928 #1990430: CVE-2009-3720 - Parser crash with special UTF-8 sequences. 929 - Bug Fixes: 930 #1742315: Harmful XML_ParserCreateNS suggestion. 931 #1785430: Expat build fails on linux-amd64 with gcc version>=4.1 -O3. 932 #1983953, 2517952, 2517962, 2649838: 933 Build modifications using autoreconf instead of buildconf.sh. 934 #2815947, #2884086: OBJEXT and EXEEXT support while building. 935 #2517938: xmlwf should return non-zero exit status if not well-formed. 936 #2517946: Wrong statement about XMLDecl in xmlwf.1 and xmlwf.sgml. 937 #2855609: Dangling positionPtr after error. 938 #2990652: CMake support. 939 #3010819: UNEXPECTED_STATE with a trailing "%" in entity value. 940 #3206497: Uninitialized memory returned from XML_Parse. 941 #3287849: make check fails on mingw-w64. 942 - Patches: 943 #1749198: pkg-config support. 944 #3010222: Fix for bug #3010819. 945 #3312568: CMake support. 946 #3446384: Report byte offsets for attr names and values. 947 - New Features / API changes: 948 Added new API member XML_SetHashSalt() that allows setting an initial 949 value (salt) for hash calculations. This is part of the fix for 950 bug #3496608 to randomize hash parameters. 951 When compiled with XML_ATTR_INFO defined, adds new API member 952 XML_GetAttributeInfo() that allows retrieving the byte 953 offsets for attribute names and values (patch #3446384). 954 Added CMake build system. 955 See bug #2990652 and patch #3312568. 956 Added run-benchmark target to Makefile.in - relies on testdata module 957 present in the same relative location as in the repository. 958 959Release 2.0.1 Tue June 5 2007 960 - Fixed bugs #1515266, #1515600: The character data handler's calling 961 of XML_StopParser() was not handled properly; if the parser was 962 stopped and the handler set to NULL, the parser would segfault. 963 - Fixed bug #1690883: Expat failed on EBCDIC systems as it assumed 964 some character constants to be ASCII encoded. 965 - Minor cleanups of the test harness. 966 - Fixed xmlwf bug #1513566: "out of memory" error on file size zero. 967 - Fixed outline.c bug #1543233: missing a final XML_ParserFree() call. 968 - Fixes and improvements for Windows platform: 969 bugs #1409451, #1476160, #1548182, #1602769, #1717322. 970 - Build fixes for various platforms: 971 HP-UX, Tru64, Solaris 9: patch #1437840, bug #1196180. 972 All Unix: #1554618 (refreshed config.sub/config.guess). 973 #1490371, #1613457: support both, DESTDIR and INSTALL_ROOT, 974 without relying on GNU-Make specific features. 975 #1647805: Patched configure.in to work better with Intel compiler. 976 - Fixes to Makefile.in to have make check work correctly: 977 bugs #1408143, #1535603, #1536684. 978 - Added Open Watcom support: patch #1523242. 979 980Release 2.0.0 Wed Jan 11 2006 981 - We no longer use the "check" library for C unit testing; we 982 always use the (partial) internal implementation of the API. 983 - Report XML_NS setting via XML_GetFeatureList(). 984 - Fixed headers for use from C++. 985 - XML_GetCurrentLineNumber() and XML_GetCurrentColumnNumber() 986 now return unsigned integers. 987 - Added XML_LARGE_SIZE switch to enable 64-bit integers for 988 byte indexes and line/column numbers. 989 - Updated to use libtool 1.5.22 (the most recent). 990 - Added support for AmigaOS. 991 - Some mostly minor bug fixes. SF issues include: #1006708, 992 #1021776, #1023646, #1114960, #1156398, #1221160, #1271642. 993 994Release 1.95.8 Fri Jul 23 2004 995 - Major new feature: suspend/resume. Handlers can now request 996 that a parse be suspended for later resumption or aborted 997 altogether. See "Temporarily Stopping Parsing" in the 998 documentation for more details. 999 - Some mostly minor bug fixes, but compilation should no 1000 longer generate warnings on most platforms. SF issues 1001 include: #827319, #840173, #846309, #888329, #896188, #923913, 1002 #928113, #961698, #985192. 1003 1004Release 1.95.7 Mon Oct 20 2003 1005 - Fixed enum XML_Status issue (reported on SourceForge many 1006 times), so compilers that are properly picky will be happy. 1007 - Introduced an XMLCALL macro to control the calling 1008 convention used by the Expat API; this macro should be used 1009 to annotate prototypes and definitions of callback 1010 implementations in code compiled with a calling convention 1011 other than the default convention for the host platform. 1012 - Improved ability to build without the configure-generated 1013 expat_config.h header. This is useful for applications 1014 which embed Expat rather than linking in the library. 1015 - Fixed a variety of bugs: see SF issues #458907, #609603, 1016 #676844, #679754, #692878, #692964, #695401, #699323, #699487, 1017 #820946. 1018 - Improved hash table lookups. 1019 - Added more regression tests and improved documentation. 1020 1021Release 1.95.6 Tue Jan 28 2003 1022 - Added XML_FreeContentModel(). 1023 - Added XML_MemMalloc(), XML_MemRealloc(), XML_MemFree(). 1024 - Fixed a variety of bugs: see SF issues #615606, #616863, 1025 #618199, #653180, #673791. 1026 - Enhanced the regression test suite. 1027 - Man page improvements: includes SF issue #632146. 1028 1029Release 1.95.5 Fri Sep 6 2002 1030 - Added XML_UseForeignDTD() for improved SAX2 support. 1031 - Added XML_GetFeatureList(). 1032 - Defined XML_Bool type and the values XML_TRUE and XML_FALSE. 1033 - Use an incomplete struct instead of a void* for the parser 1034 (may not retain). 1035 - Fixed UTF-8 decoding bug that caused legal UTF-8 to be rejected. 1036 - Finally fixed bug where default handler would report DTD 1037 events that were already handled by another handler. 1038 Initial patch contributed by Darryl Miles. 1039 - Removed unnecessary DllMain() function that caused static 1040 linking into a DLL to be difficult. 1041 - Added VC++ projects for building static libraries. 1042 - Reduced line-length for all source code and headers to be 1043 no longer than 80 characters, to help with AS/400 support. 1044 - Reduced memory copying during parsing (SF patch #600964). 1045 - Fixed a variety of bugs: see SF issues #580793, #434664, 1046 #483514, #580503, #581069, #584041, #584183, #584832, #585537, 1047 #596555, #596678, #598352, #598944, #599715, #600479, #600971. 1048 1049Release 1.95.4 Fri Jul 12 2002 1050 - Added support for VMS, contributed by Craig Berry. See 1051 vms/README.vms for more information. 1052 - Added Mac OS (classic) support, with a makefile for MPW, 1053 contributed by Thomas Wegner and Daryle Walker. 1054 - Added Borland C++ Builder 5 / BCC 5.5 support, contributed 1055 by Patrick McConnell (SF patch #538032). 1056 - Fixed a variety of bugs: see SF issues #441449, #563184, 1057 #564342, #566334, #566901, #569461, #570263, #575168, #579196. 1058 - Made skippedEntityHandler conform to SAX2 (see source comment) 1059 - Re-implemented WFC: Entity Declared from XML 1.0 spec and 1060 added a new error "entity declared in parameter entity": 1061 see SF bug report #569461 and SF patch #578161 1062 - Re-implemented section 5.1 from XML 1.0 spec: 1063 see SF bug report #570263 and SF patch #578161 1064 1065Release 1.95.3 Mon Jun 3 2002 1066 - Added a project to the MSVC workspace to create a wchar_t 1067 version of the library; the DLLs are named libexpatw.dll. 1068 - Changed the name of the Windows DLLs from expat.dll to 1069 libexpat.dll; this fixes SF bug #432456. 1070 - Added the XML_ParserReset() API function. 1071 - Fixed XML_SetReturnNSTriplet() to work for element names. 1072 - Made the XML_UNICODE builds usable (thanks, Karl!). 1073 - Allow xmlwf to read from standard input. 1074 - Install a man page for xmlwf on Unix systems. 1075 - Fixed many bugs; see SF bug reports #231864, #461380, #464837, 1076 #466885, #469226, #477667, #484419, #487840, #494749, #496505, 1077 #547350. Other bugs which we can't test as easily may also 1078 have been fixed, especially in the area of build support. 1079 1080Release 1.95.2 Fri Jul 27 2001 1081 - More changes to make MSVC happy with the build; add a single 1082 workspace to support both the library and xmlwf application. 1083 - Added a Windows installer for Windows users; includes 1084 xmlwf.exe. 1085 - Added compile-time constants that can be used to determine the 1086 Expat version 1087 - Removed a lot of GNU-specific dependencies to aide portability 1088 among the various Unix flavors. 1089 - Fix the UTF-8 BOM bug. 1090 - Cleaned up warning messages for several compilers. 1091 - Added the -Wall, -Wstrict-prototypes options for GCC. 1092 1093Release 1.95.1 Sun Oct 22 15:11:36 EDT 2000 1094 - Changes to get expat to build under Microsoft compiler 1095 - Removed all aborts and instead return an UNEXPECTED_STATE error. 1096 - Fixed a bug where a stray '%' in an entity value would cause an 1097 abort. 1098 - Defined XML_SetEndNamespaceDeclHandler. Thanks to Darryl Miles for 1099 finding this oversight. 1100 - Changed default patterns in lib/Makefile.in to fit non-GNU makes 1101 Thanks to robin@unrated.net for reporting and providing an 1102 account to test on. 1103 - The reference had the wrong label for XML_SetStartNamespaceDecl. 1104 Reported by an anonymous user. 1105 1106Release 1.95.0 Fri Sep 29 2000 1107 - XML_ParserCreate_MM 1108 Allows you to set a memory management suite to replace the 1109 standard malloc,realloc, and free. 1110 - XML_SetReturnNSTriplet 1111 If you turn this feature on when namespace processing is in 1112 effect, then qualified, prefixed element and attribute names 1113 are returned as "uri|name|prefix" where '|' is whatever 1114 separator character is used in namespace processing. 1115 - Merged in features from perl-expat 1116 o XML_SetElementDeclHandler 1117 o XML_SetAttlistDeclHandler 1118 o XML_SetXmlDeclHandler 1119 o XML_SetEntityDeclHandler 1120 o StartDoctypeDeclHandler takes 3 additional parameters: 1121 sysid, pubid, has_internal_subset 1122 o Many paired handler setters (like XML_SetElementHandler) 1123 now have corresponding individual handler setters 1124 o XML_GetInputContext for getting the input context of 1125 the current parse position. 1126 - Added reference material 1127 - Packaged into a distribution that builds a sharable library 1128