xref: /freebsd/contrib/expat/Changes (revision 994297b01b98816bea1abf45ae4bac1bc69ee7a0)
1NOTE: We are looking for help with a few things:
2      https://github.com/libexpat/libexpat/labels/help%20wanted
3      If you can help, please get in touch.  Thanks!
4
5Release 2.4.6 Sun February 20 2022
6        Bug fixes:
7            #566  Fix a regression introduced by the fix for CVE-2022-25313
8                    in release 2.4.5 that affects applications that (1)
9                    call function XML_SetElementDeclHandler and (2) are
10                    parsing XML that contains nested element declarations
11                    (e.g. "<!ELEMENT junk ((bar|foo|xyz+), zebra*)>").
12
13        Other changes:
14       #567 #568  Version info bumped from 9:5:8 to 9:6:8;
15                    see https://verbump.de/ for what these numbers do
16
17        Special thanks to:
18            Matt Sergeant
19            Samanta Navarro
20            Sergei Trofimovich
21                 and
22            NixOS
23            Perl XML::Parser
24
25Release 2.4.5 Fri February 18 2022
26        Security fixes:
27            #562  CVE-2022-25235 -- Passing malformed 2- and 3-byte UTF-8
28                    sequences (e.g. from start tag names) to the XML
29                    processing application on top of Expat can cause
30                    arbitrary damage (e.g. code execution) depending
31                    on how invalid UTF-8 is handled inside the XML
32                    processor; validation was not their job but Expat's.
33                    Exploits with code execution are known to exist.
34            #561  CVE-2022-25236 -- Passing (one or more) namespace separator
35                    characters in "xmlns[:prefix]" attribute values
36                    made Expat send malformed tag names to the XML
37                    processor on top of Expat which can cause
38                    arbitrary damage (e.g. code execution) depending
39                    on such unexpectable cases are handled inside the XML
40                    processor; validation was not their job but Expat's.
41                    Exploits with code execution are known to exist.
42            #558  CVE-2022-25313 -- Fix stack exhaustion in doctype parsing
43                    that could be triggered by e.g. a 2 megabytes
44                    file with a large number of opening braces.
45                    Expected impact is denial of service or potentially
46                    arbitrary code execution.
47            #560  CVE-2022-25314 -- Fix integer overflow in function copyString;
48                    only affects the encoding name parameter at parser creation
49                    time which is often hardcoded (rather than user input),
50                    takes a value in the gigabytes to trigger, and a 64-bit
51                    machine.  Expected impact is denial of service.
52            #559  CVE-2022-25315 -- Fix integer overflow in function storeRawNames;
53                    needs input in the gigabytes and a 64-bit machine.
54                    Expected impact is denial of service or potentially
55                    arbitrary code execution.
56
57        Other changes:
58       #557 #564  Version info bumped from 9:4:8 to 9:5:8;
59                    see https://verbump.de/ for what these numbers do
60
61        Special thanks to:
62            Ivan Fratric
63            Samanta Navarro
64                 and
65            Google Project Zero
66            JetBrains
67
68Release 2.4.4 Sun January 30 2022
69        Security fixes:
70            #550  CVE-2022-23852 -- Fix signed integer overflow
71                    (undefined behavior) in function XML_GetBuffer
72                    (that is also called by function XML_Parse internally)
73                    for when XML_CONTEXT_BYTES is defined to >0 (which is both
74                    common and default).
75                    Impact is denial of service or more.
76            #551  CVE-2022-23990 -- Fix unsigned integer overflow in function
77                    doProlog triggered by large content in element type
78                    declarations when there is an element declaration handler
79                    present (from a prior call to XML_SetElementDeclHandler).
80                    Impact is denial of service or more.
81
82        Bug fixes:
83       #544 #545  xmlwf: Fix a memory leak on output file opening error
84
85        Other changes:
86            #546  Autotools: Fix broken CMake support under Cygwin
87            #554  Windows: Add missing files to the installer to fix
88                    compilation with CMake from installed sources
89       #552 #554  Version info bumped from 9:3:8 to 9:4:8;
90                    see https://verbump.de/ for what these numbers do
91
92        Special thanks to:
93            Carlo Bramini
94            hwt0415
95            Roland Illig
96            Samanta Navarro
97                 and
98            Clang LeakSan and the Clang team
99
100Release 2.4.3 Sun January 16 2022
101        Security fixes:
102       #531 #534  CVE-2021-45960 -- Fix issues with left shifts by >=29 places
103                    resulting in
104                      a) realloc acting as free
105                      b) realloc allocating too few bytes
106                      c) undefined behavior
107                    depending on architecture and precise value
108                    for XML documents with >=2^27+1 prefixed attributes
109                    on a single XML tag a la
110                    "<r xmlns:a='[..]' a:a123='[..]' [..] />"
111                    where XML_ParserCreateNS is used to create the parser
112                    (which needs argument "-n" when running xmlwf).
113                    Impact is denial of service, or more.
114       #532 #538  CVE-2021-46143 (ZDI-CAN-16157) -- Fix integer overflow
115                    on variable m_groupSize in function doProlog leading
116                    to realloc acting as free.
117                    Impact is denial of service or more.
118            #539  CVE-2022-22822 to CVE-2022-22827 -- Prevent integer overflows
119                    near memory allocation at multiple places.  Mitre assigned
120                    a dedicated CVE for each involved internal C function:
121                    - CVE-2022-22822 for function addBinding
122                    - CVE-2022-22823 for function build_model
123                    - CVE-2022-22824 for function defineAttribute
124                    - CVE-2022-22825 for function lookup
125                    - CVE-2022-22826 for function nextScaffoldPart
126                    - CVE-2022-22827 for function storeAtts
127                    Impact is denial of service or more.
128
129        Other changes:
130            #535  CMake: Make call to file(GENERATE [..]) work for CMake <3.19
131            #541  Autotools|CMake: MinGW: Make run.sh(.in) work for Cygwin
132                    and MSYS2 by not going through Wine on these platforms
133       #527 #528  Address compiler warnings
134       #533 #543  Version info bumped from 9:2:8 to 9:3:8;
135                    see https://verbump.de/ for what these numbers do
136
137        Infrastructure:
138            #536  CI: Check for realistic minimum CMake version
139       #529 #539  CI: Cover compilation with -m32
140            #529  CI: Store coverage reports as artifacts for download
141            #528  CI: Upgrade Clang from 11 to 13
142
143        Special thanks to:
144            An anonymous whitehat
145            Christopher Degawa
146            J. Peter Mugaas
147            Tyson Smith
148                 and
149            GCC Farm Project
150            Trend Micro Zero Day Initiative
151
152Release 2.4.2 Sun December 19 2021
153        Other changes:
154       #509 #510  Link againgst libm for function "isnan"
155       #513 #514  Include expat_config.h as early as possible
156            #498  Autotools: Include files with release archives:
157                    - buildconf.sh
158                    - fuzz/*.c
159       #507 #519  Autotools: Sync CMake templates
160       #495 #524  CMake: MinGW: Fix pkg-config section "Libs" for
161                    - non-release build types (e.g. -DCMAKE_BUILD_TYPE=Debug)
162                    - multi-config CMake generators (e.g. Ninja Multi-Config)
163       #502 #503  docs: Document that function XML_GetBuffer may return NULL
164                    when asking for a buffer of 0 (zero) bytes size
165       #522 #523  docs: Fix return value docs for both
166                    XML_SetBillionLaughsAttackProtection* functions
167       #525 #526  Version info bumped from 9:1:8 to 9:2:8;
168                    see https://verbump.de/ for what these numbers do
169
170        Special thanks to:
171            Dong-hee Na
172            Joergen Ibsen
173            Kai Pastor
174
175Release 2.4.1 Sun May 23 2021
176        Bug fixes:
177       #488 #490  Autotools: Fix installed header expat_config.h for multilib
178                    systems; regression introduced in 2.4.0 by pull request #486
179
180        Other changes:
181       #491 #492  Version info bumped from 9:0:8 to 9:1:8;
182                    see https://verbump.de/ for what these numbers do
183
184        Special thanks to:
185            Gentoo's QA check "multilib_check_headers"
186
187Release 2.4.0 Sun May 23 2021
188        Security fixes:
189   #34 #466 #484  CVE-2013-0340/CWE-776 -- Protect against billion laughs attacks
190                    (denial-of-service; flavors targeting CPU time or RAM or both,
191                    leveraging general entities or parameter entities or both)
192                    by tracking and limiting the input amplification factor
193                    (<amplification> := (<direct> + <indirect>) / <direct>).
194                    By conservative default, amplification up to a factor of 100.0
195                    is tolerated and rejection only starts after 8 MiB of output bytes
196                    (=<direct> + <indirect>) have been processed.
197                    The fix adds the following to the API:
198                    - A new error code XML_ERROR_AMPLIFICATION_LIMIT_BREACH to
199                      signals this specific condition.
200                    - Two new API functions ..
201                      - XML_SetBillionLaughsAttackProtectionMaximumAmplification and
202                      - XML_SetBillionLaughsAttackProtectionActivationThreshold
203                      .. to further tighten billion laughs protection parameters
204                      when desired.  Please see file "doc/reference.html" for details.
205                      If you ever need to increase the defaults for non-attack XML
206                      payload, please file a bug report with libexpat.
207                    - Two new XML_FEATURE_* constants ..
208                      - that can be queried using the XML_GetFeatureList function, and
209                      - that are shown in "xmlwf -v" output.
210                    - Two new environment variable switches ..
211                      - EXPAT_ACCOUNTING_DEBUG=(0|1|2|3) and
212                      - EXPAT_ENTITY_DEBUG=(0|1)
213                      .. for runtime debugging of accounting and entity processing.
214                      Specific behavior of these values may change in the future.
215                    - Two new command line arguments "-a FACTOR" and "-b BYTES"
216                      for xmlwf to further tighten billion laughs protection
217                      parameters when desired.
218                      If you ever need to increase the defaults for non-attack XML
219                      payload, please file a bug report with libexpat.
220
221        Bug fixes:
222       #332 #470  For (non-default) compilation with -DEXPAT_MIN_SIZE=ON (CMake)
223                    or CPPFLAGS=-DXML_MIN_SIZE (GNU Autotools): Fix segfault
224                    for UTF-16 payloads containing CDATA sections.
225       #485 #486  Autotools: Fix generated CMake files for non-64bit and
226                    non-Linux platforms (e.g. macOS and MinGW in particular)
227                    that were introduced with release 2.3.0
228
229        Other changes:
230       #468 #469  xmlwf: Improve help output and the xmlwf man page
231            #463  xmlwf: Improve maintainability through some refactoring
232            #477  xmlwf: Fix man page DocBook validity
233       #458 #459  CMake: Support absolute paths for both CMAKE_INSTALL_LIBDIR
234                    and CMAKE_INSTALL_INCLUDEDIR
235       #471 #481  CMake: Add support for standard variable BUILD_SHARED_LIBS
236            #457  Unexpose symbol _INTERNAL_trim_to_complete_utf8_characters
237            #467  Resolve macro HAVE_EXPAT_CONFIG_H
238            #472  Delete unused legacy helper file "conftools/PrintPath"
239       #473 #483  Improve attribution
240  #464 #465 #477  doc/reference.html: Fix XHTML validity
241       #475 #478  doc/reference.html: Replace the 90s look by OK.css
242            #479  Version info bumped from 8:0:7 to 9:0:8
243                    due to addition of new symbols and error codes;
244                    see https://verbump.de/ for what these numbers do
245
246        Infrastructure:
247            #456  CI: Enable periodic runs
248            #457  CI: Start covering the list of exported symbols
249            #474  CI: Isolate coverage task
250       #476 #482  CI: Adapt to breaking changes in image "ubuntu-18.04"
251            #477  CI: Cover well-formedness and DocBook/XHTML validity
252                    of doc/reference.html and doc/xmlwf.xml
253
254        Special thanks to:
255            Dimitry Andric
256            Eero Helenius
257            Nick Wellnhofer
258            Rhodri James
259            Tomas Korbar
260            Yury Gribov
261                 and
262            Clang LeakSan
263            JetBrains
264            OSS-Fuzz
265
266Release 2.3.0 Thu March 25 2021
267        Bug fixes:
268            #438  When calling XML_ParseBuffer without a prior successful call to
269                    XML_GetBuffer as a user, no longer trigger undefined behavior
270                    (by adding an integer to a NULL pointer) but rather return
271                    XML_STATUS_ERROR and set the error code to (new) code
272                    XML_ERROR_NO_BUFFER. Found by UBSan (UndefinedBehaviorSanitizer)
273                    of Clang 11 (but not Clang 9).
274            #444  xmlwf: Exit status 2 was used for both:
275                    - malformed input files (documented) and
276                    - invalid command-line arguments (undocumented).
277                    The case of invalid command-line arguments now
278                    has its own exit status 4, resolving the ambiguity.
279
280        Other changes:
281            #439  xmlwf: Add argument -k to allow continuing after
282                    non-fatal errors
283            #439  xmlwf: Add section about exit status to the -h help output
284  #422 #426 #447  Windows: Drop support for Visual Studio <=14.0/2015
285            #434  Windows: CMake: Detect unsupported Visual Studio at
286                    configure time (rather than at compile time)
287       #382 #428  testrunner: Make verbose mode (argument "-v") report
288                    about passed tests, and make default mode report about
289                    failures, as well.
290            #442  CMake: Call "enable_language(CXX)" prior to tinkering
291                    with CMAKE_CXX_* variables
292            #448  Document use of libexpat from a CMake-based project
293            #451  Autotools: Install CMake files as generated by CMake 3.19.6
294                    so that users with "find_package(expat [..] CONFIG [..])"
295                    are served on distributions that are *not* using the CMake
296                    build system inside for libexpat packaging
297       #436 #437  Autotools: Drop obsolescent macro AC_HEADER_STDC
298       #450 #452  Autotools: Resolve use of obsolete macro AC_CONFIG_HEADER
299            #441  Address compiler warnings
300            #443  Version info bumped from 7:12:6 to 8:0:7
301                    due to addition of error code XML_ERROR_NO_BUFFER
302                    (see https://verbump.de/ for what these numbers do)
303
304        Infrastructure:
305       #435 #446  Replace Travis CI by GitHub Actions
306
307        Special thanks to:
308            Alexander Richardson
309            Oleksandr Popovych
310            Thomas Beutlich
311            Tim Bray
312                 and
313            Clang LeakSan, Clang 11 UBSan and the Clang team
314
315Release 2.2.10 Sat October 3 2020
316        Bug fixes:
317  #390 #395 #398  Fix undefined behavior during parsing caused by
318                    pointer arithmetic with NULL pointers
319       #404 #405  Fix reading uninitialized variable during parsing
320            #406  xmlwf: Add missing check for malloc NULL return
321
322        Other changes:
323            #396  Windows: Drop support for Visual Studio <=8.0/2005
324            #409  Windows: Add missing file "Changes" to the installer
325                    to fix compilation with CMake from installed sources
326            #403  xmlwf: Document exit codes in xmlwf manpage and
327                    exit with code 3 (rather than code 1) for output errors
328                    when used with "-d DIRECTORY"
329       #356 #359  MinGW: Provide declaration of rand_s for mingwrt <5.3.0
330       #383 #392  Autotools: Use -Werror while configure tests the compiler
331                    for supported compile flags to avoid false positives
332  #383 #393 #394  Autotools: Improve handling of user (C|CPP|CXX|LD)FLAGS,
333                    e.g. ensure that they have the last word over flags added
334                    while running ./configure
335            #360  CMake: Create libexpatw.{dll,so} and expatw.pc (with emphasis
336                    on suffix "w") with -DEXPAT_CHAR_TYPE=(ushort|wchar_t)
337            #360  CMake: Detect and deny unsupported build combinations
338                    involving -DEXPAT_CHAR_TYPE=(ushort|wchar_t)
339            #360  CMake: Install pre-compiled shipped xmlwf.1 manpage in case
340                    of -DEXPAT_BUILD_DOCS=OFF
341  #375 #380 #419  CMake: Fix use of Expat by means of add_subdirectory
342       #407 #408  CMake: Keep expat target name constant at "expat"
343                    (i.e. refrain from using the target name to control
344                    build artifact filenames)
345            #385  CMake: Fix compilation with -DEXPAT_SHARED_LIBS=OFF for
346                    Windows
347                  CMake: Expose man page compilation as target "xmlwf-manpage"
348       #413 #414  CMake: Introduce option EXPAT_BUILD_PKGCONFIG
349                    to control generation of pkg-config file "expat.pc"
350            #424  CMake: Add minimalistic support for building binary packages
351                    with CMake target "package"; based on CPack
352            #366  CMake: Add option -DEXPAT_OSSFUZZ_BUILD=(ON|OFF) with
353                    default OFF to build fuzzer code against OSS-Fuzz and
354                    related environment variable LIB_FUZZING_ENGINE
355            #354  Fix testsuite for -DEXPAT_DTD=OFF and -DEXPAT_NS=OFF, each
356    #354 #355 ..
357       #356 #412  Address compiler warnings
358       #368 #369  Address pngcheck warnings with doc/*.png images
359            #425  Version info bumped from 7:11:6 to 7:12:6
360
361        Special thanks to:
362            asavah
363            Ben Wagner
364            Bhargava Shastry
365            Frank Landgraf
366            Jeffrey Walton
367            Joe Orton
368            Kleber Tarcísio
369            Ma Lin
370            Maciej Sroczyński
371            Mohammed Khajapasha
372            Vadim Zeitlin
373                 and
374            Cppcheck 2.0 and the Cppcheck team
375
376Release 2.2.9 Wed September 25 2019
377        Other changes:
378                  examples: Drop executable bits from elements.c
379            #349  Windows: Change the name of the Windows DLLs from expat*.dll
380                    to libexpat*.dll once more (regression from 2.2.8, first
381                    fixed in 1.95.3, issue #61 on SourceForge today,
382                    was issue #432456 back then); needs a fix due
383                    case-insensitive file systems on Windows and the fact that
384                    Perl's XML::Parser::Expat compiles into Expat.dll.
385            #347  Windows: Only define _CRT_RAND_S if not defined
386                  Version info bumped from 7:10:6 to 7:11:6
387
388        Special thanks to:
389            Ben Wagner
390
391Release 2.2.8 Fri September 13 2019
392        Security fixes:
393       #317 #318  CVE-2019-15903 -- Fix heap overflow triggered by
394                    XML_GetCurrentLineNumber (or XML_GetCurrentColumnNumber),
395                    and deny internal entities closing the doctype;
396                    fixed in commit c20b758c332d9a13afbbb276d30db1d183a85d43
397
398        Bug fixes:
399            #240  Fix cases where XML_StopParser did not have any effect
400                    when called from inside of an end element handler
401            #341  xmlwf: Fix exit code for operation without "-d DIRECTORY";
402                    previously, only "-d DIRECTORY" would give you a proper
403                    exit code:
404                      # xmlwf -d . <<<'<not well-formed>' 2>/dev/null ; echo $?
405                      2
406                      # xmlwf <<<'<not well-formed>' 2>/dev/null ; echo $?
407                      0
408                    Now both cases return exit code 2.
409
410        Other changes:
411       #299 #302  Windows: Replace LoadLibrary hack to access
412                    unofficial API function SystemFunction036 (RtlGenRandom)
413                    by using official API function rand_s (needs WinXP+)
414            #325  Windows: Drop support for Visual Studio <=7.1/2003
415                    and document supported compilers in README.md
416            #286  Windows: Remove COM code from xmlwf; in case it turns
417                    out needed later, there will be a dedicated repository
418                    below https://github.com/libexpat/ for that code
419            #322  Windows: Remove explicit MSVC solution and project files.
420                    You can generate Visual Studio solution files through
421                    CMake, e.g.: cmake -G"Visual Studio 15 2017" .
422            #338  xmlwf: Make "xmlwf -h" help output more friendly
423            #339  examples: Improve elements.c
424       #244 #264  Autotools: Add argument --enable-xml-attr-info
425       #239 #301  Autotools: Add arguments
426                    --with-getrandom
427                    --without-getrandom
428                    --with-sys-getrandom
429                    --without-sys-getrandom
430       #312 #343  Autotools: Fix linking issues with "./configure LD=clang"
431                  Autotools: Fix "make run-xmltest" for out-of-source builds
432       #329 #336  CMake: Pull all options from Expat <=2.2.7 into namespace
433                    prefix EXPAT_ with the exception of DOCBOOK_TO_MAN:
434                    - BUILD_doc            -> EXPAT_BUILD_DOCS (plural)
435                    - BUILD_examples       -> EXPAT_BUILD_EXAMPLES
436                    - BUILD_shared         -> EXPAT_SHARED_LIBS
437                    - BUILD_tests          -> EXPAT_BUILD_TESTS
438                    - BUILD_tools          -> EXPAT_BUILD_TOOLS
439                    - DOCBOOK_TO_MAN       -> DOCBOOK_TO_MAN (unchanged)
440                    - INSTALL              -> EXPAT_ENABLE_INSTALL
441                    - MSVC_USE_STATIC_CRT  -> EXPAT_MSVC_STATIC_CRT
442                    - USE_libbsd           -> EXPAT_WITH_LIBBSD
443                    - WARNINGS_AS_ERRORS   -> EXPAT_WARNINGS_AS_ERRORS
444                    - XML_CONTEXT_BYTES    -> EXPAT_CONTEXT_BYTES
445                    - XML_DEV_URANDOM      -> EXPAT_DEV_URANDOM
446                    - XML_DTD              -> EXPAT_DTD
447                    - XML_NS               -> EXPAT_NS
448                    - XML_UNICODE          -> EXPAT_CHAR_TYPE=ushort (!)
449                    - XML_UNICODE_WCHAR_T  -> EXPAT_CHAR_TYPE=wchar_t (!)
450       #244 #264  CMake: Add argument -DEXPAT_ATTR_INFO=(ON|OFF),
451                    default OFF
452            #326  CMake: Add argument -DEXPAT_LARGE_SIZE=(ON|OFF),
453                    default OFF
454            #328  CMake: Add argument -DEXPAT_MIN_SIZE=(ON|OFF),
455                    default OFF
456       #239 #277  CMake: Add arguments
457                    -DEXPAT_WITH_GETRANDOM=(ON|OFF|AUTO), default AUTO
458                    -DEXPAT_WITH_SYS_GETRANDOM=(ON|OFF|AUTO), default AUTO
459            #326  CMake: Install expat_config.h to include directory
460            #326  CMake: Generate and install configuration files for
461                    future find_package(expat [..] CONFIG [..])
462                  CMake: Now produces a summary of applied configuration
463                  CMake: Require C++ compiler only when tests are enabled
464            #330  CMake: Fix compilation for 16bit character types,
465                    i.e. ex -DXML_UNICODE=ON (and ex -DXML_UNICODE_WCHAR_T=ON)
466            #265  CMake: Fix linking with MinGW
467            #330  CMake: Add full support for MinGW; to enable, use
468                    -DCMAKE_TOOLCHAIN_FILE=[expat]/cmake/mingw-toolchain.cmake
469            #330  CMake: Port "make run-xmltest" from GNU Autotools to CMake
470            #316  CMake: Windows: Make binary postfix match MSVC
471                    Old: expat[d].lib
472                    New: expat[w][d][MD|MT].lib
473                  CMake: Migrate files from Windows to Unix line endings
474            #308  CMake: Integrate OSS-Fuzz fuzzers, option
475                    -DEXPAT_BUILD_FUZZERS=(ON|OFF), default OFF
476             #14  Drop an OpenVMS support leftover
477    #235 #268 ..
478    #270 #310 ..
479  #313 #331 #333  Address compiler warnings
480    #282 #283 ..
481       #284 #285  Address cppcheck warnings
482       #294 #295  Address Clang Static Analyzer warnings
483        #24 #293  Mass-apply clang-format 9 (and ensure conformance during CI)
484                  Version info bumped from 7:9:6 to 7:10:6
485
486        Special thanks to:
487            David Loffredo
488            Joonun Jang
489            Kishore Kunche
490            Marco Maggi
491            Mitch Phillips
492            Mohammed Khajapasha
493            Rolf Ade
494            xantares
495            Zhongyuan Zhou
496
497Release 2.2.7 Wed June 19 2019
498        Security fixes:
499       #186 #262  CVE-2018-20843 -- Fix extraction of namespace prefixes from
500                    XML names; XML names with multiple colons could end up in
501                    the wrong namespace, and take a high amount of RAM and CPU
502                    resources while processing, opening the door to
503                    use for denial-of-service attacks
504
505        Other changes:
506       #195 #197  Autotools/CMake: Utilize -fvisibility=hidden to stop
507                    exporting non-API symbols
508            #227  Autotools: Add --without-examples and --without-tests
509            #228  Autotools: Modernize configure.ac
510       #245 #246  Autotools: Fix check for -fvisibility=hidden for Clang
511       #247 #248  Autotools: Fix compilation for lack of docbook2x-man
512       #236 #258  Autotools: Produce .tar.{gz,lz,xz} release archives
513            #212  CMake: Make libdir of pkgconfig expat.pc support multilib
514       #158 #263  CMake: Build man page in PROJECT_BINARY_DIR not _SOURCE_DIR
515            #219  Remove fallback to bcopy, assume that memmove(3) exists
516            #257  Use portable "/usr/bin/env bash" shebang (e.g. for OpenBSD)
517            #243  Windows: Fix syntax of .def module definition files
518                  Version info bumped from 7:8:6 to 7:9:6
519
520        Special thanks to:
521            Benjamin Peterson
522            Caolán McNamara
523            Hanno Böck
524            KangLin
525            Kishore Kunche
526            Marco Maggi
527            Rhodri James
528            Sebastian Dröge
529            userwithuid
530            Yury Gribov
531
532Release 2.2.6 Sun August 12 2018
533        Bug fixes:
534       #170 #206  Avoid doing arithmetic with NULL pointers in XML_GetBuffer
535       #204 #205  Fix 2.2.5 regression with suspend-resume while parsing
536                    a document like '<root/>'
537
538        Other changes:
539       #165 #168  Autotools: Fix docbook-related configure syntax error
540            #166  Autotools: Avoid grep option `-q` for Solaris
541            #167  Autotools: Support
542                    ./configure DOCBOOK_TO_MAN="xmlto man --skip-validation"
543       #159 #167  Autotools: Support DOCBOOK_TO_MAN command which produces
544                    xmlwf.1 rather than XMLWF.1; also covers case insensitive
545                    file systems
546            #181  Autotools: Drop -rpath option passed to libtool
547            #188  Autotools: Detect and deny SGML docbook2man as ours is XML
548            #188  Autotools/CMake: Support command db2x_docbook2man as well
549            #174  CMake: Introduce option WARNINGS_AS_ERRORS, defaults to OFF
550       #184 #185  CMake: Introduce option MSVC_USE_STATIC_CRT, defaults to OFF
551       #207 #208  CMake: Introduce option XML_UNICODE and XML_UNICODE_WCHAR_T,
552                    both defaulting to OFF
553            #175  CMake: Prefer check_symbol_exists over check_function_exists
554            #176  CMake: Create the same pkg-config file as with GNU Autotools
555       #178 #179  CMake: Use GNUInstallDirs module to set proper defaults for
556                    install directories
557            #208  CMake: Utilize expat_config.h.cmake for XML_DEV_URANDOM
558            #180  Windows: Fix compilation of test suite for Visual Studio 2008
559  #131 #173 #202  Address compiler warnings
560  #187 #190 #200  Fix miscellaneous typos
561                  Version info bumped from 7:7:6 to 7:8:6
562
563        Special thanks to:
564            Anton Maklakov
565            Benjamin Peterson
566            Brad King
567            Franek Korta
568            Frank Rast
569            Joe Orton
570            luzpaz
571            Pedro Vicente
572            Rainer Jung
573            Rhodri James
574            Rolf Ade
575            Rolf Eike Beer
576            Thomas Beutlich
577            Tomasz Kłoczko
578
579Release 2.2.5 Tue October 31 2017
580        Bug fixes:
581              #8  If the parser runs out of memory, make sure its internal
582                    state reflects the memory it actually has, not the memory
583                    it wanted to have.
584             #11  The default handler wasn't being called when it should for
585                    a SYSTEM or PUBLIC doctype if an entity declaration handler
586                    was registered.
587       #137 #138  Fix a case of mistakenly reported parsing success where
588                    XML_StopParser was called from an element handler
589            #162  Function XML_ErrorString was returning NULL rather than
590                    a message for code XML_ERROR_INVALID_ARGUMENT
591                    introduced with release 2.2.1
592
593        Other changes:
594            #106  xmlwf: Add argument -N adding notation declarations
595        #75 #106  Test suite: Resolve expected failure cases where xmlwf
596                    output was incomplete
597            #127  Windows: Fix test suite compilation
598       #126 #127  Windows: Fix compilation for Visual Studio 2012
599                  Windows: Upgrade shipped project files to Visual Studio 2017
600        #33 #132  tests: Mass-fix compilation for XML_UNICODE_WCHAR_T
601            #129  examples: Fix compilation for XML_UNICODE_WCHAR_T
602            #130  benchmark: Fix compilation for XML_UNICODE_WCHAR_T
603            #144  xmlwf: Fix compilation for XML_UNICODE_WCHAR_T; still needs
604                    Windows or MinGW for 2-byte wchar_t
605              #9  Address two Clang Static Analyzer false positives
606             #59  Resolve troublesome macros hiding parser struct membership
607                    and dereferencing that pointer
608              #6  Resolve superfluous internal malloc/realloc switch
609       #153 #155  Improve docbook2x-man detection
610            #160  Undefine NDEBUG in the test suite (rather than rejecting it)
611            #161  Address compiler warnings
612                  Version info bumped from 7:6:6 to 7:7:6
613
614        Special thanks to:
615            Benbuck Nason
616            Hans Wennborg
617            José Gutiérrez de la Concha
618            Pedro Monreal Gonzalez
619            Rhodri James
620            Rolf Ade
621            Stephen Groat
622                 and
623            Core Infrastructure Initiative
624
625Release 2.2.4 Sat August 19 2017
626        Bug fixes:
627            #115  Fix copying of partial characters for UTF-8 input
628
629        Other changes:
630            #109  Fix "make check" for non-x86 architectures that default
631                    to unsigned type char (-128..127 rather than 0..255)
632            #109  coverage.sh: Cover -funsigned-char
633                  Autotools: Introduce --without-xmlwf argument
634             #65  Autotools: Replace handwritten Makefile with GNU Automake
635             #43  CMake: Auto-detect high quality entropy extractors, add new
636                    option USE_libbsd=ON to use arc4random_buf of libbsd
637             #74  CMake: Add -fno-strict-aliasing only where supported
638            #114  CMake: Always honor manually set BUILD_* options
639            #114  CMake: Compile man page if docbook2x-man is available, only
640            #117  Include file tests/xmltest.log.expected in source tarball
641                    (required for "make run-xmltest")
642            #117  Include (existing) Visual Studio 2013 files in source tarball
643                  Improve test suite error output
644            #111  Fix some typos in documentation
645                  Version info bumped from 7:5:6 to 7:6:6
646
647        Special thanks to:
648            Jakub Wilk
649            Joe Orton
650            Lin Tian
651            Rolf Eike Beer
652
653Release 2.2.3 Wed August 2 2017
654        Security fixes:
655             #82  CVE-2017-11742 -- Windows: Fix DLL hijacking vulnerability
656                    using Steve Holme's LoadLibrary wrapper for/of cURL
657
658        Bug fixes:
659             #85  Fix a dangling pointer issue related to realloc
660
661        Other changes:
662                  Increase code coverage
663             #91  Linux: Allow getrandom to fail if nonblocking pool has not
664                    yet been initialized and read /dev/urandom then, instead.
665                    This is in line with what recent Python does.
666             #81  Pre-10.7/Lion macOS: Support entropy from arc4random
667             #86  Check that a UTF-16 encoding in an XML declaration has the
668                    right endianness
669        #4 #5 #7  Recover correctly when some reallocations fail
670                  Repair "./configure && make" for systems without any
671                    provider of high quality entropy
672                    and try reading /dev/urandom on those
673                  Ensure that user-defined character encodings have converter
674                    functions when they are needed
675                  Fix mis-leading description of argument -c in xmlwf.1
676                  Rely on macro HAVE_ARC4RANDOM_BUF (rather than __CloudABI__)
677                    for CloudABI
678            #100  Fix use of SIPHASH_MAIN in siphash.h
679             #23  Test suite: Fix memory leaks
680                  Version info bumped from 7:4:6 to 7:5:6
681
682        Special thanks to:
683            Chanho Park
684            Joe Orton
685            Pascal Cuoq
686            Rhodri James
687            Simon McVittie
688            Vadim Zeitlin
689            Viktor Szakats
690                 and
691            Core Infrastructure Initiative
692
693Release 2.2.2 Wed July 12 2017
694        Security fixes:
695             #43  Protect against compilation without any source of high
696                    quality entropy enabled, e.g. with CMake build system;
697                    commit ff0207e6076e9828e536b8d9cd45c9c92069b895
698             #60  Windows with _UNICODE:
699                    Unintended use of LoadLibraryW with a non-wide string
700                    resulted in failure to load advapi32.dll and degradation
701                    in quality of used entropy when compiled with _UNICODE for
702                    Windows; you can launch existing binaries with
703                    EXPAT_ENTROPY_DEBUG=1 in the environment to inspect the
704                    quality of entropy used during runtime; commits
705                    * 95b95032f907ef1cd17ee7a9a1768010a825d61d
706                    * 73a5a2e9c081f49f2d775cf7ced864158b68dc80
707   [MOX-006]      Fix non-NULL parser parameter validation in XML_Parse;
708                    resulted in NULL dereference, previously;
709                    commit ac256dafdffc9622ab0dc2c62fcecb0dfcfa71fe
710
711        Bug fixes:
712             #69  Fix improper use of unsigned long long integer literals
713
714        Other changes:
715             #73  Start requiring a C99 compiler
716             #49  Fix "==" Bashism in configure script
717             #50  Fix too eager getrandom detection for Debian GNU/kFreeBSD
718             #52    and macOS
719             #51  Address lack of stdint.h in Visual Studio 2003 to 2008
720             #58  Address compile warnings
721             #68  Fix "./buildconf.sh && ./configure" for some versions
722                    of Dash for /bin/sh
723             #72  CMake: Ease use of Expat in context of a parent project
724                    with multiple CMakeLists.txt files
725             #72  CMake: Resolve mistaken executable permissions
726             #76  Address compile warning with -DNDEBUG (not recommended!)
727             #77  Address compile warning about macro redefinition
728
729        Special thanks to:
730            Alexander Bluhm
731            Ben Boeckel
732            Cătălin Răceanu
733            Kerin Millar
734            László Böszörményi
735            S. P. Zeidler
736            Segev Finer
737            Václav Slavík
738            Victor Stinner
739            Viktor Szakats
740                 and
741            Radically Open Security
742
743Release 2.2.1 Sat June 17 2017
744        Security fixes:
745                  CVE-2017-9233 -- External entity infinite loop DoS
746                    Details: https://libexpat.github.io/doc/cve-2017-9233/
747                    Commit c4bf96bb51dd2a1b0e185374362ee136fe2c9d7f
748   [MOX-002]      CVE-2016-9063 -- Detect integer overflow; commit
749                    d4f735b88d9932bd5039df2335eefdd0723dbe20
750                    (Fixed version of existing downstream patches!)
751   (SF.net) #539  Fix regression from fix to CVE-2016-0718 cutting off
752                    longer tag names; commits
753                    * 896b6c1fd3b842f377d1b62135dccf0a579cf65d
754                    * af507cef2c93cb8d40062a0abe43a4f4e9158fb2
755             #16    * 0dbbf43fdb20f593ddf4fa1ff67288000dd4a7fd
756             #25  More integer overflow detection (function poolGrow); commits
757                    * 810b74e4703dcfdd8f404e3cb177d44684775143
758                    * 44178553f3539ce69d34abee77a05e879a7982ac
759   [MOX-002]      Detect overflow from len=INT_MAX call to XML_Parse; commits
760                    * 4be2cb5afcc018d996f34bbbce6374b7befad47f
761                    * 7e5b71b748491b6e459e5c9a1d090820f94544d8
762   [MOX-005] #30  Use high quality entropy for hash initialization:
763                    * arc4random_buf on BSD, systems with libbsd
764                      (when configured with --with-libbsd), CloudABI
765                    * RtlGenRandom on Windows XP / Server 2003 and later
766                    * getrandom on Linux 3.17+
767                    In a way, that's still part of CVE-2016-5300.
768                    https://github.com/libexpat/libexpat/pull/30/commits
769   [MOX-005]      For the low quality entropy extraction fallback code,
770                    the parser instance address can no longer leak, commit
771                    04ad658bd3079dd15cb60fc67087900f0ff4b083
772   [MOX-003]      Prevent use of uninitialised variable; commit
773   [MOX-004]        a4dc944f37b664a3ca7199c624a98ee37babdb4b
774                  Add missing parameter validation to public API functions
775                    and dedicated error code XML_ERROR_INVALID_ARGUMENT:
776   [MOX-006]        * NULL checks; commits
777                      * d37f74b2b7149a3a95a680c4c4cd2a451a51d60a (merge/many)
778                      * 9ed727064b675b7180c98cb3d4f75efba6966681
779                      * 6a747c837c50114dfa413994e07c0ba477be4534
780                    * Negative length (XML_Parse); commit
781   [MOX-002]          70db8d2538a10f4c022655d6895e4c3e78692e7f
782   [MOX-001] #35  Change hash algorithm to William Ahern's version of SipHash
783                    to go further with fixing CVE-2012-0876.
784                    https://github.com/libexpat/libexpat/pull/39/commits
785
786        Bug fixes:
787             #32  Fix sharing of hash salt across parsers;
788                    relevant where XML_ExternalEntityParserCreate is called
789                    prior to XML_Parse, in particular (e.g. FBReader)
790             #28  xmlwf: Auto-disable use of memory-mapping (and parsing
791                    as a single chunk) for files larger than ~1 GB (2^30 bytes)
792                    rather than failing with error "out of memory"
793              #3  Fix double free after malloc failure in DTD code; commit
794                    7ae9c3d3af433cd4defe95234eae7dc8ed15637f
795             #17  Fix memory leak on parser error for unbound XML attribute
796                    prefix with new namespaces defined in the same tag;
797                    found by Google's OSS-Fuzz; commits
798                    * 16f87daae5a16132e479e4f71862128c7a915c73
799                    * b47dbc9745932c160893d433220e462bd605f8cd
800                  xmlwf on Windows: Add missing calls to CloseHandle
801
802        New features:
803             #30  Introduced environment switch EXPAT_ENTROPY_DEBUG=1
804                    for runtime debugging of entropy extraction
805
806        Other changes:
807                  Increase code coverage
808             #33  Reject use of XML_UNICODE_WCHAR_T with sizeof(wchar_t) != 2;
809                    XML_UNICODE_WCHAR_T was never meant to be used outside
810                    of Windows; 4-byte wchar_t is common on Linux
811   (SF.net) #538  Start using -fno-strict-aliasing
812   (SF.net) #540  Support compilation against cloudlibc of CloudABI
813                  Allow MinGW cross-compilation
814   (SF.net) #534  CMake: Introduce option "BUILD_doc" (enabled by default)
815                    to bypass compilation of the xmlwf.1 man page
816   (SF.net)  pr2  CMake: Introduce option "INSTALL" (enabled by default)
817                    to bypass installation of expat files
818                  CMake: Fix ninja support
819                  Autotools: Add parameters --enable-xml-context [COUNT]
820                    and --disable-xml-context; default of context of 1024
821                    bytes enabled unchanged
822             #14  Drop AmigaOS 4.x code and includes
823             #14  Drop ancient build systems:
824                    * Borland C++ Builder
825                    * OpenVMS
826                    * Open Watcom
827                    * Visual Studio 6.0
828                    * Pre-X Mac OS (MPW Makefile)
829                    If you happen to rely on some of these, please get in
830                    touch for joining with maintenance.
831             #10  Move from WIN32 to _WIN32
832             #13  Fix "make run-xmltest" order instability
833                  Address compile warnings
834                  Bump version info from 7:2:6 to 7:3:6
835                  Add AUTHORS file
836
837        Infrastructure:
838              #1  Migrate from SourceForge to GitHub (except downloads):
839                    https://github.com/libexpat/
840              #1  Re-create http://libexpat.org/ project website
841                  Start utilizing Travis CI
842
843        Special thanks to:
844            Andy Wang
845            Don Lewis
846            Ed Schouten
847            Karl Waclawek
848            Pascal Cuoq
849            Rhodri James
850            Sergei Nikulov
851            Tobias Taschner
852            Viktor Szakats
853                 and
854            Core Infrastructure Initiative
855            Mozilla Foundation (MOSS Track 3: Secure Open Source)
856            Radically Open Security
857
858Release 2.2.0 Tue June 21 2016
859        Security fixes:
860            #537  CVE-2016-0718 -- Fix crash on malformed input
861                  CVE-2016-4472 -- Improve insufficient fix to CVE-2015-1283 /
862                                   CVE-2015-2716 introduced with Expat 2.1.1
863            #499  CVE-2016-5300 -- Use more entropy for hash initialization
864                                   than the original fix to CVE-2012-0876
865            #519  CVE-2012-6702 -- Resolve troublesome internal call to srand
866                                   that was introduced with Expat 2.1.0
867                                   when addressing CVE-2012-0876 (issue #496)
868
869        Bug fixes:
870                  Fix uninitialized reads of size 1
871                    (e.g. in little2_updatePosition)
872                  Fix detection of UTF-8 character boundaries
873
874        Other changes:
875            #532  Fix compilation for Visual Studio 2010 (keyword "C99")
876                  Autotools: Resolve use of "$<" to better support bmake
877                  Autotools: Add QA script "qa.sh" (and make target "qa")
878                  Autotools: Respect CXXFLAGS if given
879                  Autotools: Fix "make run-xmltest"
880                  Autotools: Have "make run-xmltest" check for expected output
881             p90  CMake: Fix static build (BUILD_shared=OFF) on Windows
882            #536  CMake: Add soversion, support -DNO_SONAME=yes to bypass
883            #323  CMake: Add suffix "d" to differentiate debug from release
884                  CMake: Define WIN32 with CMake on Windows
885                  Annotate memory allocators for GCC
886                  Address all currently known compile warnings
887                  Make sure that API symbols remain visible despite
888                    -fvisibility=hidden
889                  Remove executable flag from source files
890                  Resolve COMPILED_FROM_DSP in favor of WIN32
891
892        Special thanks to:
893            Björn Lindahl
894            Christian Heimes
895            Cristian Rodríguez
896            Daniel Krügler
897            Gustavo Grieco
898            Karl Waclawek
899            László Böszörményi
900            Marco Grassi
901            Pascal Cuoq
902            Sergei Nikulov
903            Thomas Beutlich
904            Warren Young
905            Yann Droneaud
906
907Release 2.1.1 Sat March 12 2016
908        Security fixes:
909            #582: CVE-2015-1283 - Multiple integer overflows in XML_GetBuffer
910
911        Bug fixes:
912            #502: Fix potential null pointer dereference
913            #520: Symbol XML_SetHashSalt was not exported
914            Output of "xmlwf -h" was incomplete
915
916        Other changes:
917            #503: Document behavior of calling XML_SetHashSalt with salt 0
918            Minor improvements to man page xmlwf(1)
919            Improvements to the experimental CMake build system
920            libtool now invoked with --verbose
921
922Release 2.1.0 Sat March 24 2012
923        - Security fixes:
924          #2958794: CVE-2012-1148 - Memory leak in poolGrow.
925          #2895533: CVE-2012-1147 - Resource leak in readfilemap.c.
926          #3496608: CVE-2012-0876 - Hash DOS attack.
927          #2894085: CVE-2009-3560 - Buffer over-read and crash in big2_toUtf8().
928          #1990430: CVE-2009-3720 - Parser crash with special UTF-8 sequences.
929        - Bug Fixes:
930          #1742315: Harmful XML_ParserCreateNS suggestion.
931          #1785430: Expat build fails on linux-amd64 with gcc version>=4.1 -O3.
932          #1983953, 2517952, 2517962, 2649838:
933                Build modifications using autoreconf instead of buildconf.sh.
934          #2815947, #2884086: OBJEXT and EXEEXT support while building.
935          #2517938: xmlwf should return non-zero exit status if not well-formed.
936          #2517946: Wrong statement about XMLDecl in xmlwf.1 and xmlwf.sgml.
937          #2855609: Dangling positionPtr after error.
938          #2990652: CMake support.
939          #3010819: UNEXPECTED_STATE with a trailing "%" in entity value.
940          #3206497: Uninitialized memory returned from XML_Parse.
941          #3287849: make check fails on mingw-w64.
942        - Patches:
943          #1749198: pkg-config support.
944          #3010222: Fix for bug #3010819.
945          #3312568: CMake support.
946          #3446384: Report byte offsets for attr names and values.
947        - New Features / API changes:
948          Added new API member XML_SetHashSalt() that allows setting an initial
949                value (salt) for hash calculations. This is part of the fix for
950                bug #3496608 to randomize hash parameters.
951          When compiled with XML_ATTR_INFO defined, adds new API member
952                XML_GetAttributeInfo() that allows retrieving the byte
953                offsets for attribute names and values (patch #3446384).
954          Added CMake build system.
955                See bug #2990652 and patch #3312568.
956          Added run-benchmark target to Makefile.in - relies on testdata module
957                present in the same relative location as in the repository.
958
959Release 2.0.1 Tue June 5 2007
960        - Fixed bugs #1515266, #1515600: The character data handler's calling
961          of XML_StopParser() was not handled properly; if the parser was
962          stopped and the handler set to NULL, the parser would segfault.
963        - Fixed bug #1690883: Expat failed on EBCDIC systems as it assumed
964          some character constants to be ASCII encoded.
965        - Minor cleanups of the test harness.
966        - Fixed xmlwf bug #1513566: "out of memory" error on file size zero.
967        - Fixed outline.c bug #1543233: missing a final XML_ParserFree() call.
968        - Fixes and improvements for Windows platform:
969          bugs #1409451, #1476160, #1548182, #1602769, #1717322.
970        - Build fixes for various platforms:
971          HP-UX, Tru64, Solaris 9: patch #1437840, bug #1196180.
972          All Unix: #1554618 (refreshed config.sub/config.guess).
973                    #1490371, #1613457: support both, DESTDIR and INSTALL_ROOT,
974                    without relying on GNU-Make specific features.
975          #1647805: Patched configure.in to work better with Intel compiler.
976        - Fixes to Makefile.in to have make check work correctly:
977          bugs #1408143, #1535603, #1536684.
978        - Added Open Watcom support: patch #1523242.
979
980Release 2.0.0 Wed Jan 11 2006
981        - We no longer use the "check" library for C unit testing; we
982          always use the (partial) internal implementation of the API.
983        - Report XML_NS setting via XML_GetFeatureList().
984        - Fixed headers for use from C++.
985        - XML_GetCurrentLineNumber() and  XML_GetCurrentColumnNumber()
986          now return unsigned integers.
987        - Added XML_LARGE_SIZE switch to enable 64-bit integers for
988          byte indexes and line/column numbers.
989        - Updated to use libtool 1.5.22 (the most recent).
990        - Added support for AmigaOS.
991        - Some mostly minor bug fixes. SF issues include: #1006708,
992          #1021776, #1023646, #1114960, #1156398, #1221160, #1271642.
993
994Release 1.95.8 Fri Jul 23 2004
995        - Major new feature: suspend/resume.  Handlers can now request
996          that a parse be suspended for later resumption or aborted
997          altogether.  See "Temporarily Stopping Parsing" in the
998          documentation for more details.
999        - Some mostly minor bug fixes, but compilation should no
1000          longer generate warnings on most platforms.  SF issues
1001          include: #827319, #840173, #846309, #888329, #896188, #923913,
1002          #928113, #961698, #985192.
1003
1004Release 1.95.7 Mon Oct 20 2003
1005        - Fixed enum XML_Status issue (reported on SourceForge many
1006          times), so compilers that are properly picky will be happy.
1007        - Introduced an XMLCALL macro to control the calling
1008          convention used by the Expat API; this macro should be used
1009          to annotate prototypes and definitions of callback
1010          implementations in code compiled with a calling convention
1011          other than the default convention for the host platform.
1012        - Improved ability to build without the configure-generated
1013          expat_config.h header.  This is useful for applications
1014          which embed Expat rather than linking in the library.
1015        - Fixed a variety of bugs: see SF issues #458907, #609603,
1016          #676844, #679754, #692878, #692964, #695401, #699323, #699487,
1017          #820946.
1018        - Improved hash table lookups.
1019        - Added more regression tests and improved documentation.
1020
1021Release 1.95.6 Tue Jan 28 2003
1022        - Added XML_FreeContentModel().
1023        - Added XML_MemMalloc(), XML_MemRealloc(), XML_MemFree().
1024        - Fixed a variety of bugs: see SF issues #615606, #616863,
1025          #618199, #653180, #673791.
1026        - Enhanced the regression test suite.
1027        - Man page improvements: includes SF issue #632146.
1028
1029Release 1.95.5 Fri Sep 6 2002
1030        - Added XML_UseForeignDTD() for improved SAX2 support.
1031        - Added XML_GetFeatureList().
1032        - Defined XML_Bool type and the values XML_TRUE and XML_FALSE.
1033        - Use an incomplete struct instead of a void* for the parser
1034          (may not retain).
1035        - Fixed UTF-8 decoding bug that caused legal UTF-8 to be rejected.
1036        - Finally fixed bug where default handler would report DTD
1037          events that were already handled by another handler.
1038          Initial patch contributed by Darryl Miles.
1039        - Removed unnecessary DllMain() function that caused static
1040          linking into a DLL to be difficult.
1041        - Added VC++ projects for building static libraries.
1042        - Reduced line-length for all source code and headers to be
1043          no longer than 80 characters, to help with AS/400 support.
1044        - Reduced memory copying during parsing (SF patch #600964).
1045        - Fixed a variety of bugs: see SF issues #580793, #434664,
1046          #483514, #580503, #581069, #584041, #584183, #584832, #585537,
1047          #596555, #596678, #598352, #598944, #599715, #600479, #600971.
1048
1049Release 1.95.4 Fri Jul 12 2002
1050        - Added support for VMS, contributed by Craig Berry.  See
1051          vms/README.vms for more information.
1052        - Added Mac OS (classic) support, with a makefile for MPW,
1053          contributed by Thomas Wegner and Daryle Walker.
1054        - Added Borland C++ Builder 5 / BCC 5.5 support, contributed
1055          by Patrick McConnell (SF patch #538032).
1056        - Fixed a variety of bugs: see SF issues #441449, #563184,
1057          #564342, #566334, #566901, #569461, #570263, #575168, #579196.
1058        - Made skippedEntityHandler conform to SAX2 (see source comment)
1059        - Re-implemented WFC: Entity Declared from XML 1.0 spec and
1060          added a new error "entity declared in parameter entity":
1061          see SF bug report #569461 and SF patch #578161
1062        - Re-implemented section 5.1 from XML 1.0 spec:
1063          see SF bug report #570263 and SF patch #578161
1064
1065Release 1.95.3 Mon Jun 3 2002
1066        - Added a project to the MSVC workspace to create a wchar_t
1067          version of the library; the DLLs are named libexpatw.dll.
1068        - Changed the name of the Windows DLLs from expat.dll to
1069          libexpat.dll; this fixes SF bug #432456.
1070        - Added the XML_ParserReset() API function.
1071        - Fixed XML_SetReturnNSTriplet() to work for element names.
1072        - Made the XML_UNICODE builds usable (thanks, Karl!).
1073        - Allow xmlwf to read from standard input.
1074        - Install a man page for xmlwf on Unix systems.
1075        - Fixed many bugs; see SF bug reports #231864, #461380, #464837,
1076          #466885, #469226, #477667, #484419, #487840, #494749, #496505,
1077          #547350.  Other bugs which we can't test as easily may also
1078          have been fixed, especially in the area of build support.
1079
1080Release 1.95.2 Fri Jul 27 2001
1081        - More changes to make MSVC happy with the build; add a single
1082          workspace to support both the library and xmlwf application.
1083        - Added a Windows installer for Windows users; includes
1084          xmlwf.exe.
1085        - Added compile-time constants that can be used to determine the
1086          Expat version
1087        - Removed a lot of GNU-specific dependencies to aide portability
1088          among the various Unix flavors.
1089        - Fix the UTF-8 BOM bug.
1090        - Cleaned up warning messages for several compilers.
1091        - Added the -Wall, -Wstrict-prototypes options for GCC.
1092
1093Release 1.95.1 Sun Oct 22 15:11:36 EDT 2000
1094        - Changes to get expat to build under Microsoft compiler
1095        - Removed all aborts and instead return an UNEXPECTED_STATE error.
1096        - Fixed a bug where a stray '%' in an entity value would cause an
1097          abort.
1098        - Defined XML_SetEndNamespaceDeclHandler. Thanks to Darryl Miles for
1099          finding this oversight.
1100        - Changed default patterns in lib/Makefile.in to fit non-GNU makes
1101          Thanks to robin@unrated.net for reporting and providing an
1102          account to test on.
1103        - The reference had the wrong label for XML_SetStartNamespaceDecl.
1104          Reported by an anonymous user.
1105
1106Release 1.95.0 Fri Sep 29 2000
1107        - XML_ParserCreate_MM
1108                Allows you to set a memory management suite to replace the
1109                standard malloc,realloc, and free.
1110        - XML_SetReturnNSTriplet
1111                If you turn this feature on when namespace processing is in
1112                effect, then qualified, prefixed element and attribute names
1113                are returned as "uri|name|prefix" where '|' is whatever
1114                separator character is used in namespace processing.
1115        - Merged in features from perl-expat
1116                o XML_SetElementDeclHandler
1117                o XML_SetAttlistDeclHandler
1118                o XML_SetXmlDeclHandler
1119                o XML_SetEntityDeclHandler
1120                o StartDoctypeDeclHandler takes 3 additional parameters:
1121                        sysid, pubid, has_internal_subset
1122                o Many paired handler setters (like XML_SetElementHandler)
1123                  now have corresponding individual handler setters
1124                o XML_GetInputContext for getting the input context of
1125                  the current parse position.
1126        - Added reference material
1127        - Packaged into a distribution that builds a sharable library
1128