xref: /freebsd/contrib/expat/Changes (revision b1879975794772ee51f0b4865753364c7d7626c3)
1                           __  __            _
2                        ___\ \/ /_ __   __ _| |_
3                       / _ \\  /| '_ \ / _` | __|
4                      |  __//  \| |_) | (_| | |_
5                       \___/_/\_\ .__/ \__,_|\__|
6                                |_| XML parser
7
8!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
9!! <blink>Expat is UNDERSTAFFED and WITHOUT FUNDING.</blink>                 !!
10!!                 ~~~~~~~~~~~~                                              !!
11!! The following topics need *additional skilled C developers* to progress   !!
12!! in a timely manner or at all (loosely ordered by descending priority):    !!
13!!                                                                           !!
14!! - <blink>fixing a complex non-public security issue</blink>,              !!
15!! - teaming up on researching and fixing future security reports and        !!
16!!   ClusterFuzz findings with few-days-max response times in communication  !!
17!!   in order to (1) have a sound fix ready before the end of a 90 days      !!
18!!   grace period and (2) in a sustainable manner,                           !!
19!! - implementing and auto-testing XML 1.0r5 support                         !!
20!!   (needs discussion before pull requests),                                !!
21!! - smart ideas on fixing the Autotools CMake files generation issue        !!
22!!   without breaking CI (needs discussion before pull requests),            !!
23!! - the Windows binaries topic (needs requirements engineering first),      !!
24!! - pushing migration from `int` to `size_t` further                        !!
25!!   including edge-cases test coverage (needs discussion before anything).  !!
26!!                                                                           !!
27!! For details, please reach out via e-mail to sebastian@pipping.org so we   !!
28!! can schedule a voice call on the topic, in English or German.             !!
29!!                                                                           !!
30!! THANK YOU!                        Sebastian Pipping -- Berlin, 2024-03-09 !!
31!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
32
33Release 2.6.4 Wed November 6 2024
34        Security fixes:
35            #915  CVE-2024-50602 -- Fix crash within function XML_ResumeParser
36                    from a NULL pointer dereference by disallowing function
37                    XML_StopParser to (stop or) suspend an unstarted parser.
38                    A new error code XML_ERROR_NOT_STARTED was introduced to
39                    properly communicate this situation.  // CWE-476 CWE-754
40
41        Other changes:
42            #903  CMake: Add alias target "expat::expat"
43            #905  docs: Document use via CMake >=3.18 with FetchContent
44                    and SOURCE_SUBDIR and its consequences
45            #902  tests: Reduce use of global parser instance
46            #904  tests: Resolve duplicate handler
47       #317 #918  tests: Improve tests on doctype closing (ex CVE-2019-15903)
48            #914  Fix signedness of format strings
49       #919 #920  Version info bumped from 10:3:9 (libexpat*.so.1.9.3)
50                    to 11:0:10 (libexpat*.so.1.10.0); see https://verbump.de/
51                    for what these numbers do
52
53        Infrastructure:
54            #907  CI: Upgrade Clang from 18 to 19
55            #913  CI: Drop macos-12 and add macos-15
56            #910  CI: Adapt to breaking changes in GitHub Actions
57            #898  Add missing entries to .gitignore
58
59        Special thanks to:
60            Hanno Böck
61            José Eduardo Gutiérrez Conejo
62            José Ricardo Cardona Quesada
63
64Release 2.6.3 Wed September 4 2024
65        Security fixes:
66       #887 #890  CVE-2024-45490 -- Calling function XML_ParseBuffer with
67                    len < 0 without noticing and then calling XML_GetBuffer
68                    will have XML_ParseBuffer fail to recognize the problem
69                    and XML_GetBuffer corrupt memory.
70                    With the fix, XML_ParseBuffer now complains with error
71                    XML_ERROR_INVALID_ARGUMENT just like sibling XML_Parse
72                    has been doing since Expat 2.2.1, and now documented.
73                    Impact is denial of service to potentially artitrary code
74                    execution.
75       #888 #891  CVE-2024-45491 -- Internal function dtdCopy can have an
76                    integer overflow for nDefaultAtts on 32-bit platforms
77                    (where UINT_MAX equals SIZE_MAX).
78                    Impact is denial of service to potentially artitrary code
79                    execution.
80       #889 #892  CVE-2024-45492 -- Internal function nextScaffoldPart can
81                    have an integer overflow for m_groupSize on 32-bit
82                    platforms (where UINT_MAX equals SIZE_MAX).
83                    Impact is denial of service to potentially artitrary code
84                    execution.
85
86        Other changes:
87       #851 #879  Autotools: Sync CMake templates with CMake 3.28
88            #853  Autotools: Always provide path to find(1) for portability
89            #861  Autotools: Ensure that the m4 directory always exists.
90            #870  Autotools: Simplify handling of SIZEOF_VOID_P
91            #869  Autotools: Support non-GNU sed
92            #856  Autotools|CMake: Fix main() to main(void)
93            #865  Autotools|CMake: Fix compile tests for HAVE_SYSCALL_GETRANDOM
94            #863  Autotools|CMake: Stop requiring dos2unix
95       #854 #855  CMake: Fix check for symbols size_t and off_t
96            #864  docs|tests: Convert README to Markdown and update
97            #741  Windows: Drop support for Visual Studio <=15.0/2017
98            #886  Drop needless XML_DTD guards around is_param access
99            #885  Fix typo in a code comment
100       #894 #896  Version info bumped from 10:2:9 (libexpat*.so.1.9.2)
101                    to 10:3:9 (libexpat*.so.1.9.3); see https://verbump.de/
102                    for what these numbers do
103
104        Infrastructure:
105            #880  Readme: Promote the call for help
106            #868  CI: Fix various issues
107            #849  CI: Allow triggering GitHub Actions workflows manually
108    #851 #872 ..
109       #873 #879  CI: Adapt to breaking changes in GitHub Actions
110
111        Special thanks to:
112            Alexander Bluhm
113            Berkay Eren Ürün
114            Dag-Erling Smørgrav
115            Ferenc Géczi
116            TaiYou
117
118Release 2.6.2 Wed March 13 2024
119        Security fixes:
120       #839 #842  CVE-2024-28757 -- Prevent billion laughs attacks with
121                    isolated use of external parsers.  Please see the commit
122                    message of commit 1d50b80cf31de87750103656f6eb693746854aa8
123                    for details.
124
125        Bug fixes:
126       #839 #841  Reject direct parameter entity recursion
127                    and avoid the related undefined behavior
128
129        Other changes:
130            #847  Autotools: Fix build for DOCBOOK_TO_MAN containing spaces
131            #837  Add missing #821 and #824 to 2.6.1 change log
132       #838 #843  Version info bumped from 10:1:9 (libexpat*.so.1.9.1)
133                    to 10:2:9 (libexpat*.so.1.9.2); see https://verbump.de/
134                    for what these numbers do
135
136        Special thanks to:
137            Philippe Antoine
138            Tomas Korbar
139                 and
140            Clang UndefinedBehaviorSanitizer
141            OSS-Fuzz / ClusterFuzz
142
143Release 2.6.1 Thu February 29 2024
144        Bug fixes:
145            #817  Make tests independent of CPU speed, and thus more robust
146       #828 #836  Expose billion laughs API with XML_DTD defined and
147                    XML_GE undefined, regression from 2.6.0
148
149        Other changes:
150            #829  Hide test-only code behind new internal macro
151            #833  Autotools: Reject expat_config.h.in defining SIZEOF_VOID_P
152       #821 #824  Autotools: Fix "make clean" for case:
153                    ./configure --without-docbook && make clean all
154            #819  Address compiler warnings
155       #832 #834  Version info bumped from 10:0:9 (libexpat*.so.1.9.0)
156                    to 10:1:9 (libexpat*.so.1.9.1); see https://verbump.de/
157                    for what these numbers do
158
159        Infrastructure:
160            #818  CI: Adapt to breaking changes in clang-format
161
162        Special thanks to:
163            David Hall
164            Snild Dolkow
165
166Release 2.6.0 Tue February 6 2024
167        Security fixes:
168      #789 #814  CVE-2023-52425 -- Fix quadratic runtime issues with big tokens
169                   that can cause denial of service, in partial where
170                   dealing with compressed XML input.  Applications
171                   that parsed a document in one go -- a single call to
172                   functions XML_Parse or XML_ParseBuffer -- were not affected.
173                   The smaller the chunks/buffers you use for parsing
174                   previously, the bigger the problem prior to the fix.
175                   Backporters should be careful to no omit parts of
176                   pull request #789 and to include earlier pull request #771,
177                   in order to not break the fix.
178           #777  CVE-2023-52426 -- Fix billion laughs attacks for users
179                   compiling *without* XML_DTD defined (which is not common).
180                   Users with XML_DTD defined have been protected since
181                   Expat >=2.4.0 (and that was CVE-2013-0340 back then).
182
183        Bug fixes:
184            #753  Fix parse-size-dependent "invalid token" error for
185                    external entities that start with a byte order mark
186            #780  Fix NULL pointer dereference in setContext via
187                    XML_ExternalEntityParserCreate for compilation with
188                    XML_DTD undefined
189       #812 #813  Protect against closing entities out of order
190
191        Other changes:
192            #723  Improve support for arc4random/arc4random_buf
193       #771 #788  Improve buffer growth in XML_GetBuffer and XML_Parse
194       #761 #770  xmlwf: Support --help and --version
195       #759 #770  xmlwf: Support custom buffer size for XML_GetBuffer and read
196            #744  xmlwf: Improve language and URL clickability in help output
197            #673  examples: Add new example "element_declarations.c"
198            #764  Be stricter about macro XML_CONTEXT_BYTES at build time
199            #765  Make inclusion to expat_config.h consistent
200       #726 #727  Autotools: configure.ac: Support --disable-maintainer-mode
201    #678 #705 ..
202  #706 #733 #792  Autotools: Sync CMake templates with CMake 3.26
203            #795  Autotools: Make installation of shipped man page doc/xmlwf.1
204                    independent of docbook2man availability
205            #815  Autotools|CMake: Add missing -DXML_STATIC to pkg-config file
206                    section "Cflags.private" in order to fix compilation
207                    against static libexpat using pkg-config on Windows
208       #724 #751  Autotools|CMake: Require a C99 compiler
209                    (a de-facto requirement already since Expat 2.2.2 of 2017)
210            #793  Autotools|CMake: Fix PACKAGE_BUGREPORT variable
211       #750 #786  Autotools|CMake: Make test suite require a C++11 compiler
212            #749  CMake: Require CMake >=3.5.0
213            #672  CMake: Lowercase off_t and size_t to help a bug in Meson
214            #746  CMake: Sort xmlwf sources alphabetically
215            #785  CMake|Windows: Fix generation of DLL file version info
216            #790  CMake: Build tests/benchmark/benchmark.c as well for
217                    a build with -DEXPAT_BUILD_TESTS=ON
218       #745 #757  docs: Document the importance of isFinal + adjust tests
219                    accordingly
220            #736  docs: Improve use of "NULL" and "null"
221            #713  docs: Be specific about version of XML (XML 1.0r4)
222                    and version of C (C99); (XML 1.0r5 will need a sponsor.)
223            #762  docs: reference.html: Promote function XML_ParseBuffer more
224            #779  docs: reference.html: Add HTML anchors to XML_* macros
225            #760  docs: reference.html: Upgrade to OK.css 1.2.0
226       #763 #739  docs: Fix typos
227            #696  docs|CI: Use HTTPS URLs instead of HTTP at various places
228    #669 #670 ..
229    #692 #703 ..
230       #733 #772  Address compiler warnings
231       #798 #800  Address clang-tidy warnings
232       #775 #776  Version info bumped from 9:10:8 (libexpat*.so.1.8.10)
233                    to 10:0:9 (libexpat*.so.1.9.0); see https://verbump.de/
234                    for what these numbers do
235
236        Infrastructure:
237       #700 #701  docs: Document security policy in file SECURITY.md
238            #766  docs: Improve parse buffer variables in-code documentation
239    #674 #738 ..
240    #740 #747 ..
241  #748 #781 #782  Refactor coverage and conformance tests
242       #714 #716  Refactor debug level variables to unsigned long
243            #671  Improve handling of empty environment variable value
244                    in function getDebugLevel (without visible user effect)
245    #755 #774 ..
246    #758 #783 ..
247       #784 #787  tests: Improve test coverage with regard to parse chunk size
248  #660 #797 #801  Fuzzing: Improve fuzzing coverage
249       #367 #799  Fuzzing|CI: Start running OSS-Fuzz fuzzing regression tests
250       #698 #721  CI: Resolve some Travis CI leftovers
251            #669  CI: Be robust towards absence of Git tags
252       #693 #694  CI: Set permissions to "contents: read" for security
253            #709  CI: Pin all GitHub Actions to specific commits for security
254            #739  CI: Reject spelling errors using codespell
255            #798  CI: Enforce clang-tidy clean code
256    #773 #808 ..
257       #809 #810  CI: Upgrade Clang from 15 to 18
258            #796  CI: Start using Clang's Control Flow Integrity sanitizer
259  #675 #720 #722  CI: Adapt to breaking changes in GitHub Actions Ubuntu images
260            #689  CI: Adapt to breaking changes in Clang/LLVM Debian packaging
261            #763  CI: Adapt to breaking changes in codespell
262            #803  CI: Adapt to breaking changes in Cppcheck
263
264        Special thanks to:
265            Ivan Galkin
266            Joyce Brum
267            Philippe Antoine
268            Rhodri James
269            Snild Dolkow
270            spookyahell
271            Steven Garske
272                 and
273            Clang AddressSanitizer
274            Clang UndefinedBehaviorSanitizer
275            codespell
276            GCC Farm Project
277            OSS-Fuzz
278            Sony Mobile
279
280Release 2.5.0 Tue October 25 2022
281        Security fixes:
282  #616 #649 #650  CVE-2022-43680 -- Fix heap use-after-free after overeager
283                    destruction of a shared DTD in function
284                    XML_ExternalEntityParserCreate in out-of-memory situations.
285                    Expected impact is denial of service or potentially
286                    arbitrary code execution.
287
288        Bug fixes:
289       #612 #645  Fix corruption from undefined entities
290       #613 #654  Fix case when parsing was suspended while processing nested
291                    entities
292  #616 #652 #653  Stop leaking opening tag bindings after a closing tag
293                    mismatch error where a parser is reset through
294                    XML_ParserReset and then reused to parse
295            #656  CMake: Fix generation of pkg-config file
296            #658  MinGW|CMake: Fix static library name
297
298        Other changes:
299            #663  Protect header expat_config.h from multiple inclusion
300            #666  examples: Make use of XML_GetBuffer and be more
301                    consistent across examples
302            #648  Address compiler warnings
303       #667 #668  Version info bumped from 9:9:8 to 9:10:8;
304                    see https://verbump.de/ for what these numbers do
305
306        Special thanks to:
307            Jann Horn
308            Mark Brand
309            Osyotr
310            Rhodri James
311                 and
312            Google Project Zero
313
314Release 2.4.9 Tue September 20 2022
315        Security fixes:
316       #629 #640  CVE-2022-40674 -- Heap use-after-free vulnerability in
317                    function doContent. Expected impact is denial of service
318                    or potentially arbitrary code execution.
319
320        Bug fixes:
321            #634  MinGW: Fix mis-compilation for -D__USE_MINGW_ANSI_STDIO=0
322            #614  docs: Fix documentation on effect of switch XML_DTD on
323                    symbol visibility in doc/reference.html
324
325        Other changes:
326            #638  MinGW: Make fix-xmltest-log.sh drop more Wine bug output
327       #596 #625  Autotools: Sync CMake templates with CMake 3.22
328            #608  CMake: Migrate from use of CMAKE_*_POSTFIX to
329                    dedicated variables EXPAT_*_POSTFIX to stop affecting
330                    other projects
331       #597 #599  Windows|CMake: Add missing -DXML_STATIC to test runners
332                    and fuzzers
333       #512 #621  Windows|CMake: Render .def file from a template to fix
334                    linking with -DEXPAT_DTD=OFF and/or -DEXPAT_ATTR_INFO=ON
335       #611 #621  MinGW|CMake: Apply MSVC .def file when linking
336       #622 #624  MinGW|CMake: Sync library name with GNU Autotools,
337                    i.e. produce libexpat-1.dll rather than libexpat.dll
338                    by default.  Filename libexpat.dll.a is unaffected.
339            #632  MinGW|CMake: Set missing variable CMAKE_RC_COMPILER in
340                    toolchain file "cmake/mingw-toolchain.cmake" to avoid
341                    error "windres: Command not found" on e.g. Ubuntu 20.04
342       #597 #627  CMake: Unify inconsistent use of set() and option() in
343                    context of public build time options to take need for
344                    set(.. FORCE) in projects using Expat by means of
345                    add_subdirectory(..) off Expat's users' shoulders
346       #626 #641  Stop exporting API symbols when building a static library
347            #644  Resolve use of deprecated "fgrep" by "grep -F"
348            #620  CMake: Make documentation on variables a bit more consistent
349            #636  CMake: Drop leading whitespace from a #cmakedefine line in
350                    file expat_config.h.cmake
351            #594  xmlwf: Fix harmless variable mix-up in function nsattcmp
352  #592 #593 #610  Address Cppcheck warnings
353            #643  Address Clang 15 compiler warnings
354       #642 #644  Version info bumped from 9:8:8 to 9:9:8;
355                    see https://verbump.de/ for what these numbers do
356
357        Infrastructure:
358       #597 #598  CI: Windows: Start covering MSVC 2022
359            #619  CI: macOS: Migrate off deprecated macOS 10.15
360            #632  CI: Linux: Make migration off deprecated Ubuntu 18.04 work
361            #643  CI: Upgrade Clang from 14 to 15
362            #637  apply-clang-format.sh: Add support for BSD find
363            #633  coverage.sh: Exclude MinGW headers
364            #635  coverage.sh: Fix name collision for -funsigned-char
365
366        Special thanks to:
367            David Faure
368            Felix Wilhelm
369            Frank Bergmann
370            Rhodri James
371            Rosen Penev
372            Thijs Schreijer
373            Vincent Torri
374                 and
375            Google Project Zero
376
377Release 2.4.8 Mon March 28 2022
378        Other changes:
379            #587  pkg-config: Move "-lm" to section "Libs.private"
380            #587  CMake|MSVC: Fix pkg-config section "Libs"
381        #55 #582  CMake|macOS: Start using linker arguments
382                    "-compatibility_version <version>" and
383                    "-current_version <version>" in a way compatible with
384                    GNU Libtool
385       #590 #591  Version info bumped from 9:7:8 to 9:8:8;
386                    see https://verbump.de/ for what these numbers do
387
388        Infrastructure:
389            #589  CI: Upgrade Clang from 13 to 14
390
391        Special thanks to:
392            evpobr
393            Kai Pastor
394            Sam James
395
396Release 2.4.7 Fri March 4 2022
397        Bug fixes:
398       #572 #577  Relax fix to CVE-2022-25236 (introduced with release 2.4.5)
399                    with regard to all valid URI characters (RFC 3986),
400                    i.e. the following set (excluding whitespace):
401                    ABCDEFGHIJKLMNOPQRSTUVWXYZ abcdefghijklmnopqrstuvwxyz
402                    0123456789 % -._~ :/?#[]@ !$&'()*+,;=
403
404        Other changes:
405  #555 #570 #581  CMake|Windows: Store Expat version in the DLL
406            #577  Document consequences of namespace separator choices not just
407                    in doc/reference.html but also in header <expat.h>
408            #577  Document Expat's lack of validation of namespace URIs against
409                    RFC 3986, and that the XML 1.0r4 specification doesn't
410                    require Expat to validate namespace URIs, and that Expat
411                    may do more in that regard in future releases.
412                    If you find need for strict RFC 3986 URI validation on
413                    application level today, https://uriparser.github.io/ may
414                    be of interest.
415            #579  Fix documentation of XML_EndDoctypeDeclHandler in <expat.h>
416            #575  Document that a call to XML_FreeContentModel can be done at
417                    a later time from outside the element declaration handler
418            #574  Make hardcoded namespace URIs easier to find in code
419            #573  Update documentation on use of XML_POOR_ENTOPY on Solaris
420       #569 #571  tests: Resolve use of macros NAN and INFINITY for GNU G++
421                    4.8.2 on Solaris.
422       #578 #580  Version info bumped from 9:6:8 to 9:7:8;
423                    see https://verbump.de/ for what these numbers do
424
425        Special thanks to:
426            Jeffrey Walton
427            Johnny Jazeix
428            Thijs Schreijer
429
430Release 2.4.6 Sun February 20 2022
431        Bug fixes:
432            #566  Fix a regression introduced by the fix for CVE-2022-25313
433                    in release 2.4.5 that affects applications that (1)
434                    call function XML_SetElementDeclHandler and (2) are
435                    parsing XML that contains nested element declarations
436                    (e.g. "<!ELEMENT junk ((bar|foo|xyz+), zebra*)>").
437
438        Other changes:
439       #567 #568  Version info bumped from 9:5:8 to 9:6:8;
440                    see https://verbump.de/ for what these numbers do
441
442        Special thanks to:
443            Matt Sergeant
444            Samanta Navarro
445            Sergei Trofimovich
446                 and
447            NixOS
448            Perl XML::Parser
449
450Release 2.4.5 Fri February 18 2022
451        Security fixes:
452            #562  CVE-2022-25235 -- Passing malformed 2- and 3-byte UTF-8
453                    sequences (e.g. from start tag names) to the XML
454                    processing application on top of Expat can cause
455                    arbitrary damage (e.g. code execution) depending
456                    on how invalid UTF-8 is handled inside the XML
457                    processor; validation was not their job but Expat's.
458                    Exploits with code execution are known to exist.
459            #561  CVE-2022-25236 -- Passing (one or more) namespace separator
460                    characters in "xmlns[:prefix]" attribute values
461                    made Expat send malformed tag names to the XML
462                    processor on top of Expat which can cause
463                    arbitrary damage (e.g. code execution) depending
464                    on such unexpectable cases are handled inside the XML
465                    processor; validation was not their job but Expat's.
466                    Exploits with code execution are known to exist.
467            #558  CVE-2022-25313 -- Fix stack exhaustion in doctype parsing
468                    that could be triggered by e.g. a 2 megabytes
469                    file with a large number of opening braces.
470                    Expected impact is denial of service or potentially
471                    arbitrary code execution.
472            #560  CVE-2022-25314 -- Fix integer overflow in function copyString;
473                    only affects the encoding name parameter at parser creation
474                    time which is often hardcoded (rather than user input),
475                    takes a value in the gigabytes to trigger, and a 64-bit
476                    machine.  Expected impact is denial of service.
477            #559  CVE-2022-25315 -- Fix integer overflow in function storeRawNames;
478                    needs input in the gigabytes and a 64-bit machine.
479                    Expected impact is denial of service or potentially
480                    arbitrary code execution.
481
482        Other changes:
483       #557 #564  Version info bumped from 9:4:8 to 9:5:8;
484                    see https://verbump.de/ for what these numbers do
485
486        Special thanks to:
487            Ivan Fratric
488            Samanta Navarro
489                 and
490            Google Project Zero
491            JetBrains
492
493Release 2.4.4 Sun January 30 2022
494        Security fixes:
495            #550  CVE-2022-23852 -- Fix signed integer overflow
496                    (undefined behavior) in function XML_GetBuffer
497                    (that is also called by function XML_Parse internally)
498                    for when XML_CONTEXT_BYTES is defined to >0 (which is both
499                    common and default).
500                    Impact is denial of service or more.
501            #551  CVE-2022-23990 -- Fix unsigned integer overflow in function
502                    doProlog triggered by large content in element type
503                    declarations when there is an element declaration handler
504                    present (from a prior call to XML_SetElementDeclHandler).
505                    Impact is denial of service or more.
506
507        Bug fixes:
508       #544 #545  xmlwf: Fix a memory leak on output file opening error
509
510        Other changes:
511            #546  Autotools: Fix broken CMake support under Cygwin
512            #554  Windows: Add missing files to the installer to fix
513                    compilation with CMake from installed sources
514       #552 #554  Version info bumped from 9:3:8 to 9:4:8;
515                    see https://verbump.de/ for what these numbers do
516
517        Special thanks to:
518            Carlo Bramini
519            hwt0415
520            Roland Illig
521            Samanta Navarro
522                 and
523            Clang LeakSan and the Clang team
524
525Release 2.4.3 Sun January 16 2022
526        Security fixes:
527       #531 #534  CVE-2021-45960 -- Fix issues with left shifts by >=29 places
528                    resulting in
529                      a) realloc acting as free
530                      b) realloc allocating too few bytes
531                      c) undefined behavior
532                    depending on architecture and precise value
533                    for XML documents with >=2^27+1 prefixed attributes
534                    on a single XML tag a la
535                    "<r xmlns:a='[..]' a:a123='[..]' [..] />"
536                    where XML_ParserCreateNS is used to create the parser
537                    (which needs argument "-n" when running xmlwf).
538                    Impact is denial of service, or more.
539       #532 #538  CVE-2021-46143 (ZDI-CAN-16157) -- Fix integer overflow
540                    on variable m_groupSize in function doProlog leading
541                    to realloc acting as free.
542                    Impact is denial of service or more.
543            #539  CVE-2022-22822 to CVE-2022-22827 -- Prevent integer overflows
544                    near memory allocation at multiple places.  Mitre assigned
545                    a dedicated CVE for each involved internal C function:
546                    - CVE-2022-22822 for function addBinding
547                    - CVE-2022-22823 for function build_model
548                    - CVE-2022-22824 for function defineAttribute
549                    - CVE-2022-22825 for function lookup
550                    - CVE-2022-22826 for function nextScaffoldPart
551                    - CVE-2022-22827 for function storeAtts
552                    Impact is denial of service or more.
553
554        Other changes:
555            #535  CMake: Make call to file(GENERATE [..]) work for CMake <3.19
556            #541  Autotools|CMake: MinGW: Make run.sh(.in) work for Cygwin
557                    and MSYS2 by not going through Wine on these platforms
558       #527 #528  Address compiler warnings
559       #533 #543  Version info bumped from 9:2:8 to 9:3:8;
560                    see https://verbump.de/ for what these numbers do
561
562        Infrastructure:
563            #536  CI: Check for realistic minimum CMake version
564       #529 #539  CI: Cover compilation with -m32
565            #529  CI: Store coverage reports as artifacts for download
566            #528  CI: Upgrade Clang from 11 to 13
567
568        Special thanks to:
569            An anonymous whitehat
570            Christopher Degawa
571            J. Peter Mugaas
572            Tyson Smith
573                 and
574            GCC Farm Project
575            Trend Micro Zero Day Initiative
576
577Release 2.4.2 Sun December 19 2021
578        Other changes:
579       #509 #510  Link againgst libm for function "isnan"
580       #513 #514  Include expat_config.h as early as possible
581            #498  Autotools: Include files with release archives:
582                    - buildconf.sh
583                    - fuzz/*.c
584       #507 #519  Autotools: Sync CMake templates with CMake 3.20
585       #495 #524  CMake: MinGW: Fix pkg-config section "Libs" for
586                    - non-release build types (e.g. -DCMAKE_BUILD_TYPE=Debug)
587                    - multi-config CMake generators (e.g. Ninja Multi-Config)
588       #502 #503  docs: Document that function XML_GetBuffer may return NULL
589                    when asking for a buffer of 0 (zero) bytes size
590       #522 #523  docs: Fix return value docs for both
591                    XML_SetBillionLaughsAttackProtection* functions
592       #525 #526  Version info bumped from 9:1:8 to 9:2:8;
593                    see https://verbump.de/ for what these numbers do
594
595        Special thanks to:
596            Donghee Na
597            Joergen Ibsen
598            Kai Pastor
599
600Release 2.4.1 Sun May 23 2021
601        Bug fixes:
602       #488 #490  Autotools: Fix installed header expat_config.h for multilib
603                    systems; regression introduced in 2.4.0 by pull request #486
604
605        Other changes:
606       #491 #492  Version info bumped from 9:0:8 to 9:1:8;
607                    see https://verbump.de/ for what these numbers do
608
609        Special thanks to:
610            Gentoo's QA check "multilib_check_headers"
611
612Release 2.4.0 Sun May 23 2021
613        Security fixes:
614   #34 #466 #484  CVE-2013-0340/CWE-776 -- Protect against billion laughs attacks
615                    (denial-of-service; flavors targeting CPU time or RAM or both,
616                    leveraging general entities or parameter entities or both)
617                    by tracking and limiting the input amplification factor
618                    (<amplification> := (<direct> + <indirect>) / <direct>).
619                    By conservative default, amplification up to a factor of 100.0
620                    is tolerated and rejection only starts after 8 MiB of output bytes
621                    (=<direct> + <indirect>) have been processed.
622                    The fix adds the following to the API:
623                    - A new error code XML_ERROR_AMPLIFICATION_LIMIT_BREACH to
624                      signals this specific condition.
625                    - Two new API functions ..
626                      - XML_SetBillionLaughsAttackProtectionMaximumAmplification and
627                      - XML_SetBillionLaughsAttackProtectionActivationThreshold
628                      .. to further tighten billion laughs protection parameters
629                      when desired.  Please see file "doc/reference.html" for details.
630                      If you ever need to increase the defaults for non-attack XML
631                      payload, please file a bug report with libexpat.
632                    - Two new XML_FEATURE_* constants ..
633                      - that can be queried using the XML_GetFeatureList function, and
634                      - that are shown in "xmlwf -v" output.
635                    - Two new environment variable switches ..
636                      - EXPAT_ACCOUNTING_DEBUG=(0|1|2|3) and
637                      - EXPAT_ENTITY_DEBUG=(0|1)
638                      .. for runtime debugging of accounting and entity processing.
639                      Specific behavior of these values may change in the future.
640                    - Two new command line arguments "-a FACTOR" and "-b BYTES"
641                      for xmlwf to further tighten billion laughs protection
642                      parameters when desired.
643                      If you ever need to increase the defaults for non-attack XML
644                      payload, please file a bug report with libexpat.
645
646        Bug fixes:
647       #332 #470  For (non-default) compilation with -DEXPAT_MIN_SIZE=ON (CMake)
648                    or CPPFLAGS=-DXML_MIN_SIZE (GNU Autotools): Fix segfault
649                    for UTF-16 payloads containing CDATA sections.
650       #485 #486  Autotools: Fix generated CMake files for non-64bit and
651                    non-Linux platforms (e.g. macOS and MinGW in particular)
652                    that were introduced with release 2.3.0
653
654        Other changes:
655       #468 #469  xmlwf: Improve help output and the xmlwf man page
656            #463  xmlwf: Improve maintainability through some refactoring
657            #477  xmlwf: Fix man page DocBook validity
658            #456  Autotools: Sync CMake templates with CMake 3.18
659       #458 #459  CMake: Support absolute paths for both CMAKE_INSTALL_LIBDIR
660                    and CMAKE_INSTALL_INCLUDEDIR
661       #471 #481  CMake: Add support for standard variable BUILD_SHARED_LIBS
662            #457  Unexpose symbol _INTERNAL_trim_to_complete_utf8_characters
663            #467  Resolve macro HAVE_EXPAT_CONFIG_H
664            #472  Delete unused legacy helper file "conftools/PrintPath"
665       #473 #483  Improve attribution
666  #464 #465 #477  doc/reference.html: Fix XHTML validity
667       #475 #478  doc/reference.html: Replace the 90s look by OK.css
668            #479  Version info bumped from 8:0:7 to 9:0:8
669                    due to addition of new symbols and error codes;
670                    see https://verbump.de/ for what these numbers do
671
672        Infrastructure:
673            #456  CI: Enable periodic runs
674            #457  CI: Start covering the list of exported symbols
675            #474  CI: Isolate coverage task
676       #476 #482  CI: Adapt to breaking changes in image "ubuntu-18.04"
677            #477  CI: Cover well-formedness and DocBook/XHTML validity
678                    of doc/reference.html and doc/xmlwf.xml
679
680        Special thanks to:
681            Dimitry Andric
682            Eero Helenius
683            Nick Wellnhofer
684            Rhodri James
685            Tomas Korbar
686            Yury Gribov
687                 and
688            Clang LeakSan
689            JetBrains
690            OSS-Fuzz
691
692Release 2.3.0 Thu March 25 2021
693        Bug fixes:
694            #438  When calling XML_ParseBuffer without a prior successful call to
695                    XML_GetBuffer as a user, no longer trigger undefined behavior
696                    (by adding an integer to a NULL pointer) but rather return
697                    XML_STATUS_ERROR and set the error code to (new) code
698                    XML_ERROR_NO_BUFFER. Found by UBSan (UndefinedBehaviorSanitizer)
699                    of Clang 11 (but not Clang 9).
700            #444  xmlwf: Exit status 2 was used for both:
701                    - malformed input files (documented) and
702                    - invalid command-line arguments (undocumented).
703                    The case of invalid command-line arguments now
704                    has its own exit status 4, resolving the ambiguity.
705
706        Other changes:
707            #439  xmlwf: Add argument -k to allow continuing after
708                    non-fatal errors
709            #439  xmlwf: Add section about exit status to the -h help output
710  #422 #426 #447  Windows: Drop support for Visual Studio <=14.0/2015
711            #434  Windows: CMake: Detect unsupported Visual Studio at
712                    configure time (rather than at compile time)
713       #382 #428  testrunner: Make verbose mode (argument "-v") report
714                    about passed tests, and make default mode report about
715                    failures, as well.
716            #442  CMake: Call "enable_language(CXX)" prior to tinkering
717                    with CMAKE_CXX_* variables
718            #448  Document use of libexpat from a CMake-based project
719            #451  Autotools: Install CMake files as generated by CMake 3.19.6
720                    so that users with "find_package(expat [..] CONFIG [..])"
721                    are served on distributions that are *not* using the CMake
722                    build system inside for libexpat packaging
723       #436 #437  Autotools: Drop obsolescent macro AC_HEADER_STDC
724       #450 #452  Autotools: Resolve use of obsolete macro AC_CONFIG_HEADER
725            #441  Address compiler warnings
726            #443  Version info bumped from 7:12:6 to 8:0:7
727                    due to addition of error code XML_ERROR_NO_BUFFER
728                    (see https://verbump.de/ for what these numbers do)
729
730        Infrastructure:
731       #435 #446  Replace Travis CI by GitHub Actions
732
733        Special thanks to:
734            Alexander Richardson
735            Oleksandr Popovych
736            Thomas Beutlich
737            Tim Bray
738                 and
739            Clang LeakSan, Clang 11 UBSan and the Clang team
740
741Release 2.2.10 Sat October 3 2020
742        Bug fixes:
743  #390 #395 #398  Fix undefined behavior during parsing caused by
744                    pointer arithmetic with NULL pointers
745       #404 #405  Fix reading uninitialized variable during parsing
746            #406  xmlwf: Add missing check for malloc NULL return
747
748        Other changes:
749            #396  Windows: Drop support for Visual Studio <=8.0/2005
750            #409  Windows: Add missing file "Changes" to the installer
751                    to fix compilation with CMake from installed sources
752            #403  xmlwf: Document exit codes in xmlwf manpage and
753                    exit with code 3 (rather than code 1) for output errors
754                    when used with "-d DIRECTORY"
755       #356 #359  MinGW: Provide declaration of rand_s for mingwrt <5.3.0
756       #383 #392  Autotools: Use -Werror while configure tests the compiler
757                    for supported compile flags to avoid false positives
758  #383 #393 #394  Autotools: Improve handling of user (C|CPP|CXX|LD)FLAGS,
759                    e.g. ensure that they have the last word over flags added
760                    while running ./configure
761            #360  CMake: Create libexpatw.{dll,so} and expatw.pc (with emphasis
762                    on suffix "w") with -DEXPAT_CHAR_TYPE=(ushort|wchar_t)
763            #360  CMake: Detect and deny unsupported build combinations
764                    involving -DEXPAT_CHAR_TYPE=(ushort|wchar_t)
765            #360  CMake: Install pre-compiled shipped xmlwf.1 manpage in case
766                    of -DEXPAT_BUILD_DOCS=OFF
767  #375 #380 #419  CMake: Fix use of Expat by means of add_subdirectory
768       #407 #408  CMake: Keep expat target name constant at "expat"
769                    (i.e. refrain from using the target name to control
770                    build artifact filenames)
771            #385  CMake: Fix compilation with -DEXPAT_SHARED_LIBS=OFF for
772                    Windows
773                  CMake: Expose man page compilation as target "xmlwf-manpage"
774       #413 #414  CMake: Introduce option EXPAT_BUILD_PKGCONFIG
775                    to control generation of pkg-config file "expat.pc"
776            #424  CMake: Add minimalistic support for building binary packages
777                    with CMake target "package"; based on CPack
778            #366  CMake: Add option -DEXPAT_OSSFUZZ_BUILD=(ON|OFF) with
779                    default OFF to build fuzzer code against OSS-Fuzz and
780                    related environment variable LIB_FUZZING_ENGINE
781            #354  Fix testsuite for -DEXPAT_DTD=OFF and -DEXPAT_NS=OFF, each
782    #354 #355 ..
783       #356 #412  Address compiler warnings
784       #368 #369  Address pngcheck warnings with doc/*.png images
785            #425  Version info bumped from 7:11:6 to 7:12:6
786
787        Special thanks to:
788            asavah
789            Ben Wagner
790            Bhargava Shastry
791            Frank Landgraf
792            Jeffrey Walton
793            Joe Orton
794            Kleber Tarcísio
795            Ma Lin
796            Maciej Sroczyński
797            Mohammed Khajapasha
798            Vadim Zeitlin
799                 and
800            Cppcheck 2.0 and the Cppcheck team
801
802Release 2.2.9 Wed September 25 2019
803        Other changes:
804                  examples: Drop executable bits from elements.c
805            #349  Windows: Change the name of the Windows DLLs from expat*.dll
806                    to libexpat*.dll once more (regression from 2.2.8, first
807                    fixed in 1.95.3, issue #61 on SourceForge today,
808                    was issue #432456 back then); needs a fix due
809                    case-insensitive file systems on Windows and the fact that
810                    Perl's XML::Parser::Expat compiles into Expat.dll.
811            #347  Windows: Only define _CRT_RAND_S if not defined
812                  Version info bumped from 7:10:6 to 7:11:6
813
814        Special thanks to:
815            Ben Wagner
816
817Release 2.2.8 Fri September 13 2019
818        Security fixes:
819       #317 #318  CVE-2019-15903 -- Fix heap overflow triggered by
820                    XML_GetCurrentLineNumber (or XML_GetCurrentColumnNumber),
821                    and deny internal entities closing the doctype;
822                    fixed in commit c20b758c332d9a13afbbb276d30db1d183a85d43
823
824        Bug fixes:
825            #240  Fix cases where XML_StopParser did not have any effect
826                    when called from inside of an end element handler
827            #341  xmlwf: Fix exit code for operation without "-d DIRECTORY";
828                    previously, only "-d DIRECTORY" would give you a proper
829                    exit code:
830                      # xmlwf -d . <<<'<not well-formed>' 2>/dev/null ; echo $?
831                      2
832                      # xmlwf <<<'<not well-formed>' 2>/dev/null ; echo $?
833                      0
834                    Now both cases return exit code 2.
835
836        Other changes:
837       #299 #302  Windows: Replace LoadLibrary hack to access
838                    unofficial API function SystemFunction036 (RtlGenRandom)
839                    by using official API function rand_s (needs WinXP+)
840            #325  Windows: Drop support for Visual Studio <=7.1/2003
841                    and document supported compilers in README.md
842            #286  Windows: Remove COM code from xmlwf; in case it turns
843                    out needed later, there will be a dedicated repository
844                    below https://github.com/libexpat/ for that code
845            #322  Windows: Remove explicit MSVC solution and project files.
846                    You can generate Visual Studio solution files through
847                    CMake, e.g.: cmake -G"Visual Studio 15 2017" .
848            #338  xmlwf: Make "xmlwf -h" help output more friendly
849            #339  examples: Improve elements.c
850       #244 #264  Autotools: Add argument --enable-xml-attr-info
851       #239 #301  Autotools: Add arguments
852                    --with-getrandom
853                    --without-getrandom
854                    --with-sys-getrandom
855                    --without-sys-getrandom
856       #312 #343  Autotools: Fix linking issues with "./configure LD=clang"
857                  Autotools: Fix "make run-xmltest" for out-of-source builds
858       #329 #336  CMake: Pull all options from Expat <=2.2.7 into namespace
859                    prefix EXPAT_ with the exception of DOCBOOK_TO_MAN:
860                    - BUILD_doc            -> EXPAT_BUILD_DOCS (plural)
861                    - BUILD_examples       -> EXPAT_BUILD_EXAMPLES
862                    - BUILD_shared         -> EXPAT_SHARED_LIBS
863                    - BUILD_tests          -> EXPAT_BUILD_TESTS
864                    - BUILD_tools          -> EXPAT_BUILD_TOOLS
865                    - DOCBOOK_TO_MAN       -> DOCBOOK_TO_MAN (unchanged)
866                    - INSTALL              -> EXPAT_ENABLE_INSTALL
867                    - MSVC_USE_STATIC_CRT  -> EXPAT_MSVC_STATIC_CRT
868                    - USE_libbsd           -> EXPAT_WITH_LIBBSD
869                    - WARNINGS_AS_ERRORS   -> EXPAT_WARNINGS_AS_ERRORS
870                    - XML_CONTEXT_BYTES    -> EXPAT_CONTEXT_BYTES
871                    - XML_DEV_URANDOM      -> EXPAT_DEV_URANDOM
872                    - XML_DTD              -> EXPAT_DTD
873                    - XML_NS               -> EXPAT_NS
874                    - XML_UNICODE          -> EXPAT_CHAR_TYPE=ushort (!)
875                    - XML_UNICODE_WCHAR_T  -> EXPAT_CHAR_TYPE=wchar_t (!)
876       #244 #264  CMake: Add argument -DEXPAT_ATTR_INFO=(ON|OFF),
877                    default OFF
878            #326  CMake: Add argument -DEXPAT_LARGE_SIZE=(ON|OFF),
879                    default OFF
880            #328  CMake: Add argument -DEXPAT_MIN_SIZE=(ON|OFF),
881                    default OFF
882       #239 #277  CMake: Add arguments
883                    -DEXPAT_WITH_GETRANDOM=(ON|OFF|AUTO), default AUTO
884                    -DEXPAT_WITH_SYS_GETRANDOM=(ON|OFF|AUTO), default AUTO
885            #326  CMake: Install expat_config.h to include directory
886            #326  CMake: Generate and install configuration files for
887                    future find_package(expat [..] CONFIG [..])
888                  CMake: Now produces a summary of applied configuration
889                  CMake: Require C++ compiler only when tests are enabled
890            #330  CMake: Fix compilation for 16bit character types,
891                    i.e. ex -DXML_UNICODE=ON (and ex -DXML_UNICODE_WCHAR_T=ON)
892            #265  CMake: Fix linking with MinGW
893            #330  CMake: Add full support for MinGW; to enable, use
894                    -DCMAKE_TOOLCHAIN_FILE=[expat]/cmake/mingw-toolchain.cmake
895            #330  CMake: Port "make run-xmltest" from GNU Autotools to CMake
896            #316  CMake: Windows: Make binary postfix match MSVC
897                    Old: expat[d].lib
898                    New: expat[w][d][MD|MT].lib
899                  CMake: Migrate files from Windows to Unix line endings
900            #308  CMake: Integrate OSS-Fuzz fuzzers, option
901                    -DEXPAT_BUILD_FUZZERS=(ON|OFF), default OFF
902             #14  Drop an OpenVMS support leftover
903    #235 #268 ..
904    #270 #310 ..
905  #313 #331 #333  Address compiler warnings
906    #282 #283 ..
907       #284 #285  Address cppcheck warnings
908       #294 #295  Address Clang Static Analyzer warnings
909        #24 #293  Mass-apply clang-format 9 (and ensure conformance during CI)
910                  Version info bumped from 7:9:6 to 7:10:6
911
912        Special thanks to:
913            David Loffredo
914            Joonun Jang
915            Kishore Kunche
916            Marco Maggi
917            Mitch Phillips
918            Mohammed Khajapasha
919            Rolf Ade
920            xantares
921            Zhongyuan Zhou
922
923Release 2.2.7 Wed June 19 2019
924        Security fixes:
925       #186 #262  CVE-2018-20843 -- Fix extraction of namespace prefixes from
926                    XML names; XML names with multiple colons could end up in
927                    the wrong namespace, and take a high amount of RAM and CPU
928                    resources while processing, opening the door to
929                    use for denial-of-service attacks
930
931        Other changes:
932       #195 #197  Autotools/CMake: Utilize -fvisibility=hidden to stop
933                    exporting non-API symbols
934            #227  Autotools: Add --without-examples and --without-tests
935            #228  Autotools: Modernize configure.ac
936       #245 #246  Autotools: Fix check for -fvisibility=hidden for Clang
937       #247 #248  Autotools: Fix compilation for lack of docbook2x-man
938       #236 #258  Autotools: Produce .tar.{gz,lz,xz} release archives
939            #212  CMake: Make libdir of pkgconfig expat.pc support multilib
940       #158 #263  CMake: Build man page in PROJECT_BINARY_DIR not _SOURCE_DIR
941            #219  Remove fallback to bcopy, assume that memmove(3) exists
942            #257  Use portable "/usr/bin/env bash" shebang (e.g. for OpenBSD)
943            #243  Windows: Fix syntax of .def module definition files
944                  Version info bumped from 7:8:6 to 7:9:6
945
946        Special thanks to:
947            Benjamin Peterson
948            Caolán McNamara
949            Hanno Böck
950            KangLin
951            Kishore Kunche
952            Marco Maggi
953            Rhodri James
954            Sebastian Dröge
955            userwithuid
956            Yury Gribov
957
958Release 2.2.6 Sun August 12 2018
959        Bug fixes:
960       #170 #206  Avoid doing arithmetic with NULL pointers in XML_GetBuffer
961       #204 #205  Fix 2.2.5 regression with suspend-resume while parsing
962                    a document like '<root/>'
963
964        Other changes:
965       #165 #168  Autotools: Fix docbook-related configure syntax error
966            #166  Autotools: Avoid grep option `-q` for Solaris
967            #167  Autotools: Support
968                    ./configure DOCBOOK_TO_MAN="xmlto man --skip-validation"
969       #159 #167  Autotools: Support DOCBOOK_TO_MAN command which produces
970                    xmlwf.1 rather than XMLWF.1; also covers case insensitive
971                    file systems
972            #181  Autotools: Drop -rpath option passed to libtool
973            #188  Autotools: Detect and deny SGML docbook2man as ours is XML
974            #188  Autotools/CMake: Support command db2x_docbook2man as well
975            #174  CMake: Introduce option WARNINGS_AS_ERRORS, defaults to OFF
976       #184 #185  CMake: Introduce option MSVC_USE_STATIC_CRT, defaults to OFF
977       #207 #208  CMake: Introduce option XML_UNICODE and XML_UNICODE_WCHAR_T,
978                    both defaulting to OFF
979            #175  CMake: Prefer check_symbol_exists over check_function_exists
980            #176  CMake: Create the same pkg-config file as with GNU Autotools
981       #178 #179  CMake: Use GNUInstallDirs module to set proper defaults for
982                    install directories
983            #208  CMake: Utilize expat_config.h.cmake for XML_DEV_URANDOM
984            #180  Windows: Fix compilation of test suite for Visual Studio 2008
985  #131 #173 #202  Address compiler warnings
986  #187 #190 #200  Fix miscellaneous typos
987                  Version info bumped from 7:7:6 to 7:8:6
988
989        Special thanks to:
990            Anton Maklakov
991            Benjamin Peterson
992            Brad King
993            Franek Korta
994            Frank Rast
995            Joe Orton
996            luzpaz
997            Pedro Vicente
998            Rainer Jung
999            Rhodri James
1000            Rolf Ade
1001            Rolf Eike Beer
1002            Thomas Beutlich
1003            Tomasz Kłoczko
1004
1005Release 2.2.5 Tue October 31 2017
1006        Bug fixes:
1007              #8  If the parser runs out of memory, make sure its internal
1008                    state reflects the memory it actually has, not the memory
1009                    it wanted to have.
1010             #11  The default handler wasn't being called when it should for
1011                    a SYSTEM or PUBLIC doctype if an entity declaration handler
1012                    was registered.
1013       #137 #138  Fix a case of mistakenly reported parsing success where
1014                    XML_StopParser was called from an element handler
1015            #162  Function XML_ErrorString was returning NULL rather than
1016                    a message for code XML_ERROR_INVALID_ARGUMENT
1017                    introduced with release 2.2.1
1018
1019        Other changes:
1020            #106  xmlwf: Add argument -N adding notation declarations
1021        #75 #106  Test suite: Resolve expected failure cases where xmlwf
1022                    output was incomplete
1023            #127  Windows: Fix test suite compilation
1024       #126 #127  Windows: Fix compilation for Visual Studio 2012
1025                  Windows: Upgrade shipped project files to Visual Studio 2017
1026        #33 #132  tests: Mass-fix compilation for XML_UNICODE_WCHAR_T
1027            #129  examples: Fix compilation for XML_UNICODE_WCHAR_T
1028            #130  benchmark: Fix compilation for XML_UNICODE_WCHAR_T
1029            #144  xmlwf: Fix compilation for XML_UNICODE_WCHAR_T; still needs
1030                    Windows or MinGW for 2-byte wchar_t
1031              #9  Address two Clang Static Analyzer false positives
1032             #59  Resolve troublesome macros hiding parser struct membership
1033                    and dereferencing that pointer
1034              #6  Resolve superfluous internal malloc/realloc switch
1035       #153 #155  Improve docbook2x-man detection
1036            #160  Undefine NDEBUG in the test suite (rather than rejecting it)
1037            #161  Address compiler warnings
1038                  Version info bumped from 7:6:6 to 7:7:6
1039
1040        Special thanks to:
1041            Benbuck Nason
1042            Hans Wennborg
1043            José Gutiérrez de la Concha
1044            Pedro Monreal Gonzalez
1045            Rhodri James
1046            Rolf Ade
1047            Stephen Groat
1048                 and
1049            Core Infrastructure Initiative
1050
1051Release 2.2.4 Sat August 19 2017
1052        Bug fixes:
1053            #115  Fix copying of partial characters for UTF-8 input
1054
1055        Other changes:
1056            #109  Fix "make check" for non-x86 architectures that default
1057                    to unsigned type char (-128..127 rather than 0..255)
1058            #109  coverage.sh: Cover -funsigned-char
1059                  Autotools: Introduce --without-xmlwf argument
1060             #65  Autotools: Replace handwritten Makefile with GNU Automake
1061             #43  CMake: Auto-detect high quality entropy extractors, add new
1062                    option USE_libbsd=ON to use arc4random_buf of libbsd
1063             #74  CMake: Add -fno-strict-aliasing only where supported
1064            #114  CMake: Always honor manually set BUILD_* options
1065            #114  CMake: Compile man page if docbook2x-man is available, only
1066            #117  Include file tests/xmltest.log.expected in source tarball
1067                    (required for "make run-xmltest")
1068            #117  Include (existing) Visual Studio 2013 files in source tarball
1069                  Improve test suite error output
1070            #111  Fix some typos in documentation
1071                  Version info bumped from 7:5:6 to 7:6:6
1072
1073        Special thanks to:
1074            Jakub Wilk
1075            Joe Orton
1076            Lin Tian
1077            Rolf Eike Beer
1078
1079Release 2.2.3 Wed August 2 2017
1080        Security fixes:
1081             #82  CVE-2017-11742 -- Windows: Fix DLL hijacking vulnerability
1082                    using Steve Holme's LoadLibrary wrapper for/of cURL
1083
1084        Bug fixes:
1085             #85  Fix a dangling pointer issue related to realloc
1086
1087        Other changes:
1088                  Increase code coverage
1089             #91  Linux: Allow getrandom to fail if nonblocking pool has not
1090                    yet been initialized and read /dev/urandom then, instead.
1091                    This is in line with what recent Python does.
1092             #81  Pre-10.7/Lion macOS: Support entropy from arc4random
1093             #86  Check that a UTF-16 encoding in an XML declaration has the
1094                    right endianness
1095        #4 #5 #7  Recover correctly when some reallocations fail
1096                  Repair "./configure && make" for systems without any
1097                    provider of high quality entropy
1098                    and try reading /dev/urandom on those
1099                  Ensure that user-defined character encodings have converter
1100                    functions when they are needed
1101                  Fix mis-leading description of argument -c in xmlwf.1
1102                  Rely on macro HAVE_ARC4RANDOM_BUF (rather than __CloudABI__)
1103                    for CloudABI
1104            #100  Fix use of SIPHASH_MAIN in siphash.h
1105             #23  Test suite: Fix memory leaks
1106                  Version info bumped from 7:4:6 to 7:5:6
1107
1108        Special thanks to:
1109            Chanho Park
1110            Joe Orton
1111            Pascal Cuoq
1112            Rhodri James
1113            Simon McVittie
1114            Vadim Zeitlin
1115            Viktor Szakats
1116                 and
1117            Core Infrastructure Initiative
1118
1119Release 2.2.2 Wed July 12 2017
1120        Security fixes:
1121             #43  Protect against compilation without any source of high
1122                    quality entropy enabled, e.g. with CMake build system;
1123                    commit ff0207e6076e9828e536b8d9cd45c9c92069b895
1124             #60  Windows with _UNICODE:
1125                    Unintended use of LoadLibraryW with a non-wide string
1126                    resulted in failure to load advapi32.dll and degradation
1127                    in quality of used entropy when compiled with _UNICODE for
1128                    Windows; you can launch existing binaries with
1129                    EXPAT_ENTROPY_DEBUG=1 in the environment to inspect the
1130                    quality of entropy used during runtime; commits
1131                    * 95b95032f907ef1cd17ee7a9a1768010a825d61d
1132                    * 73a5a2e9c081f49f2d775cf7ced864158b68dc80
1133   [MOX-006]      Fix non-NULL parser parameter validation in XML_Parse;
1134                    resulted in NULL dereference, previously;
1135                    commit ac256dafdffc9622ab0dc2c62fcecb0dfcfa71fe
1136
1137        Bug fixes:
1138             #69  Fix improper use of unsigned long long integer literals
1139
1140        Other changes:
1141             #73  Start requiring a C99 compiler
1142             #49  Fix "==" Bashism in configure script
1143             #50  Fix too eager getrandom detection for Debian GNU/kFreeBSD
1144             #52    and macOS
1145             #51  Address lack of stdint.h in Visual Studio 2003 to 2008
1146             #58  Address compile warnings
1147             #68  Fix "./buildconf.sh && ./configure" for some versions
1148                    of Dash for /bin/sh
1149             #72  CMake: Ease use of Expat in context of a parent project
1150                    with multiple CMakeLists.txt files
1151             #72  CMake: Resolve mistaken executable permissions
1152             #76  Address compile warning with -DNDEBUG (not recommended!)
1153             #77  Address compile warning about macro redefinition
1154
1155        Special thanks to:
1156            Alexander Bluhm
1157            Ben Boeckel
1158            Cătălin Răceanu
1159            Kerin Millar
1160            László Böszörményi
1161            S. P. Zeidler
1162            Segev Finer
1163            Václav Slavík
1164            Victor Stinner
1165            Viktor Szakats
1166                 and
1167            Radically Open Security
1168
1169Release 2.2.1 Sat June 17 2017
1170        Security fixes:
1171                  CVE-2017-9233 -- External entity infinite loop DoS
1172                    Details: https://libexpat.github.io/doc/cve-2017-9233/
1173                    Commit c4bf96bb51dd2a1b0e185374362ee136fe2c9d7f
1174   [MOX-002]      CVE-2016-9063 -- Detect integer overflow; commit
1175                    d4f735b88d9932bd5039df2335eefdd0723dbe20
1176                    (Fixed version of existing downstream patches!)
1177   (SF.net) #539  Fix regression from fix to CVE-2016-0718 cutting off
1178                    longer tag names; commits
1179                    * 896b6c1fd3b842f377d1b62135dccf0a579cf65d
1180                    * af507cef2c93cb8d40062a0abe43a4f4e9158fb2
1181             #16    * 0dbbf43fdb20f593ddf4fa1ff67288000dd4a7fd
1182             #25  More integer overflow detection (function poolGrow); commits
1183                    * 810b74e4703dcfdd8f404e3cb177d44684775143
1184                    * 44178553f3539ce69d34abee77a05e879a7982ac
1185   [MOX-002]      Detect overflow from len=INT_MAX call to XML_Parse; commits
1186                    * 4be2cb5afcc018d996f34bbbce6374b7befad47f
1187                    * 7e5b71b748491b6e459e5c9a1d090820f94544d8
1188   [MOX-005] #30  Use high quality entropy for hash initialization:
1189                    * arc4random_buf on BSD, systems with libbsd
1190                      (when configured with --with-libbsd), CloudABI
1191                    * RtlGenRandom on Windows XP / Server 2003 and later
1192                    * getrandom on Linux 3.17+
1193                    In a way, that's still part of CVE-2016-5300.
1194                    https://github.com/libexpat/libexpat/pull/30/commits
1195   [MOX-005]      For the low quality entropy extraction fallback code,
1196                    the parser instance address can no longer leak, commit
1197                    04ad658bd3079dd15cb60fc67087900f0ff4b083
1198   [MOX-003]      Prevent use of uninitialised variable; commit
1199   [MOX-004]        a4dc944f37b664a3ca7199c624a98ee37babdb4b
1200                  Add missing parameter validation to public API functions
1201                    and dedicated error code XML_ERROR_INVALID_ARGUMENT:
1202   [MOX-006]        * NULL checks; commits
1203                      * d37f74b2b7149a3a95a680c4c4cd2a451a51d60a (merge/many)
1204                      * 9ed727064b675b7180c98cb3d4f75efba6966681
1205                      * 6a747c837c50114dfa413994e07c0ba477be4534
1206                    * Negative length (XML_Parse); commit
1207   [MOX-002]          70db8d2538a10f4c022655d6895e4c3e78692e7f
1208   [MOX-001] #35  Change hash algorithm to William Ahern's version of SipHash
1209                    to go further with fixing CVE-2012-0876.
1210                    https://github.com/libexpat/libexpat/pull/39/commits
1211
1212        Bug fixes:
1213             #32  Fix sharing of hash salt across parsers;
1214                    relevant where XML_ExternalEntityParserCreate is called
1215                    prior to XML_Parse, in particular (e.g. FBReader)
1216             #28  xmlwf: Auto-disable use of memory-mapping (and parsing
1217                    as a single chunk) for files larger than ~1 GB (2^30 bytes)
1218                    rather than failing with error "out of memory"
1219              #3  Fix double free after malloc failure in DTD code; commit
1220                    7ae9c3d3af433cd4defe95234eae7dc8ed15637f
1221             #17  Fix memory leak on parser error for unbound XML attribute
1222                    prefix with new namespaces defined in the same tag;
1223                    found by Google's OSS-Fuzz; commits
1224                    * 16f87daae5a16132e479e4f71862128c7a915c73
1225                    * b47dbc9745932c160893d433220e462bd605f8cd
1226                  xmlwf on Windows: Add missing calls to CloseHandle
1227
1228        New features:
1229             #30  Introduced environment switch EXPAT_ENTROPY_DEBUG=1
1230                    for runtime debugging of entropy extraction
1231
1232        Other changes:
1233                  Increase code coverage
1234             #33  Reject use of XML_UNICODE_WCHAR_T with sizeof(wchar_t) != 2;
1235                    XML_UNICODE_WCHAR_T was never meant to be used outside
1236                    of Windows; 4-byte wchar_t is common on Linux
1237   (SF.net) #538  Start using -fno-strict-aliasing
1238   (SF.net) #540  Support compilation against cloudlibc of CloudABI
1239                  Allow MinGW cross-compilation
1240   (SF.net) #534  CMake: Introduce option "BUILD_doc" (enabled by default)
1241                    to bypass compilation of the xmlwf.1 man page
1242   (SF.net)  pr2  CMake: Introduce option "INSTALL" (enabled by default)
1243                    to bypass installation of expat files
1244                  CMake: Fix ninja support
1245                  Autotools: Add parameters --enable-xml-context [COUNT]
1246                    and --disable-xml-context; default of context of 1024
1247                    bytes enabled unchanged
1248             #14  Drop AmigaOS 4.x code and includes
1249             #14  Drop ancient build systems:
1250                    * Borland C++ Builder
1251                    * OpenVMS
1252                    * Open Watcom
1253                    * Visual Studio 6.0
1254                    * Pre-X Mac OS (MPW Makefile)
1255                    If you happen to rely on some of these, please get in
1256                    touch for joining with maintenance.
1257             #10  Move from WIN32 to _WIN32
1258             #13  Fix "make run-xmltest" order instability
1259                  Address compile warnings
1260                  Bump version info from 7:2:6 to 7:3:6
1261                  Add AUTHORS file
1262
1263        Infrastructure:
1264              #1  Migrate from SourceForge to GitHub (except downloads):
1265                    https://github.com/libexpat/
1266              #1  Re-create http://libexpat.org/ project website
1267                  Start utilizing Travis CI
1268
1269        Special thanks to:
1270            Andy Wang
1271            Don Lewis
1272            Ed Schouten
1273            Karl Waclawek
1274            Pascal Cuoq
1275            Rhodri James
1276            Sergei Nikulov
1277            Tobias Taschner
1278            Viktor Szakats
1279                 and
1280            Core Infrastructure Initiative
1281            Mozilla Foundation (MOSS Track 3: Secure Open Source)
1282            Radically Open Security
1283
1284Release 2.2.0 Tue June 21 2016
1285        Security fixes:
1286            #537  CVE-2016-0718 -- Fix crash on malformed input
1287                  CVE-2016-4472 -- Improve insufficient fix to CVE-2015-1283 /
1288                                   CVE-2015-2716 introduced with Expat 2.1.1
1289            #499  CVE-2016-5300 -- Use more entropy for hash initialization
1290                                   than the original fix to CVE-2012-0876
1291            #519  CVE-2012-6702 -- Resolve troublesome internal call to srand
1292                                   that was introduced with Expat 2.1.0
1293                                   when addressing CVE-2012-0876 (issue #496)
1294
1295        Bug fixes:
1296                  Fix uninitialized reads of size 1
1297                    (e.g. in little2_updatePosition)
1298                  Fix detection of UTF-8 character boundaries
1299
1300        Other changes:
1301            #532  Fix compilation for Visual Studio 2010 (keyword "C99")
1302                  Autotools: Resolve use of "$<" to better support bmake
1303                  Autotools: Add QA script "qa.sh" (and make target "qa")
1304                  Autotools: Respect CXXFLAGS if given
1305                  Autotools: Fix "make run-xmltest"
1306                  Autotools: Have "make run-xmltest" check for expected output
1307             p90  CMake: Fix static build (BUILD_shared=OFF) on Windows
1308            #536  CMake: Add soversion, support -DNO_SONAME=yes to bypass
1309            #323  CMake: Add suffix "d" to differentiate debug from release
1310                  CMake: Define WIN32 with CMake on Windows
1311                  Annotate memory allocators for GCC
1312                  Address all currently known compile warnings
1313                  Make sure that API symbols remain visible despite
1314                    -fvisibility=hidden
1315                  Remove executable flag from source files
1316                  Resolve COMPILED_FROM_DSP in favor of WIN32
1317
1318        Special thanks to:
1319            Björn Lindahl
1320            Christian Heimes
1321            Cristian Rodríguez
1322            Daniel Krügler
1323            Gustavo Grieco
1324            Karl Waclawek
1325            László Böszörményi
1326            Marco Grassi
1327            Pascal Cuoq
1328            Sergei Nikulov
1329            Thomas Beutlich
1330            Warren Young
1331            Yann Droneaud
1332
1333Release 2.1.1 Sat March 12 2016
1334        Security fixes:
1335            #582: CVE-2015-1283 - Multiple integer overflows in XML_GetBuffer
1336
1337        Bug fixes:
1338            #502: Fix potential null pointer dereference
1339            #520: Symbol XML_SetHashSalt was not exported
1340            Output of "xmlwf -h" was incomplete
1341
1342        Other changes:
1343            #503: Document behavior of calling XML_SetHashSalt with salt 0
1344            Minor improvements to man page xmlwf(1)
1345            Improvements to the experimental CMake build system
1346            libtool now invoked with --verbose
1347
1348Release 2.1.0 Sat March 24 2012
1349        - Security fixes:
1350          #2958794: CVE-2012-1148 - Memory leak in poolGrow.
1351          #2895533: CVE-2012-1147 - Resource leak in readfilemap.c.
1352          #3496608: CVE-2012-0876 - Hash DOS attack.
1353          #2894085: CVE-2009-3560 - Buffer over-read and crash in big2_toUtf8().
1354          #1990430: CVE-2009-3720 - Parser crash with special UTF-8 sequences.
1355        - Bug Fixes:
1356          #1742315: Harmful XML_ParserCreateNS suggestion.
1357          #1785430: Expat build fails on linux-amd64 with gcc version>=4.1 -O3.
1358          #1983953, 2517952, 2517962, 2649838:
1359                Build modifications using autoreconf instead of buildconf.sh.
1360          #2815947, #2884086: OBJEXT and EXEEXT support while building.
1361          #2517938: xmlwf should return non-zero exit status if not well-formed.
1362          #2517946: Wrong statement about XMLDecl in xmlwf.1 and xmlwf.sgml.
1363          #2855609: Dangling positionPtr after error.
1364          #2990652: CMake support.
1365          #3010819: UNEXPECTED_STATE with a trailing "%" in entity value.
1366          #3206497: Uninitialized memory returned from XML_Parse.
1367          #3287849: make check fails on mingw-w64.
1368        - Patches:
1369          #1749198: pkg-config support.
1370          #3010222: Fix for bug #3010819.
1371          #3312568: CMake support.
1372          #3446384: Report byte offsets for attr names and values.
1373        - New Features / API changes:
1374          Added new API member XML_SetHashSalt() that allows setting an initial
1375                value (salt) for hash calculations. This is part of the fix for
1376                bug #3496608 to randomize hash parameters.
1377          When compiled with XML_ATTR_INFO defined, adds new API member
1378                XML_GetAttributeInfo() that allows retrieving the byte
1379                offsets for attribute names and values (patch #3446384).
1380          Added CMake build system.
1381                See bug #2990652 and patch #3312568.
1382          Added run-benchmark target to Makefile.in - relies on testdata module
1383                present in the same relative location as in the repository.
1384
1385Release 2.0.1 Tue June 5 2007
1386        - Fixed bugs #1515266, #1515600: The character data handler's calling
1387          of XML_StopParser() was not handled properly; if the parser was
1388          stopped and the handler set to NULL, the parser would segfault.
1389        - Fixed bug #1690883: Expat failed on EBCDIC systems as it assumed
1390          some character constants to be ASCII encoded.
1391        - Minor cleanups of the test harness.
1392        - Fixed xmlwf bug #1513566: "out of memory" error on file size zero.
1393        - Fixed outline.c bug #1543233: missing a final XML_ParserFree() call.
1394        - Fixes and improvements for Windows platform:
1395          bugs #1409451, #1476160, #1548182, #1602769, #1717322.
1396        - Build fixes for various platforms:
1397          HP-UX, Tru64, Solaris 9: patch #1437840, bug #1196180.
1398          All Unix: #1554618 (refreshed config.sub/config.guess).
1399                    #1490371, #1613457: support both, DESTDIR and INSTALL_ROOT,
1400                    without relying on GNU-Make specific features.
1401          #1647805: Patched configure.in to work better with Intel compiler.
1402        - Fixes to Makefile.in to have make check work correctly:
1403          bugs #1408143, #1535603, #1536684.
1404        - Added Open Watcom support: patch #1523242.
1405
1406Release 2.0.0 Wed Jan 11 2006
1407        - We no longer use the "check" library for C unit testing; we
1408          always use the (partial) internal implementation of the API.
1409        - Report XML_NS setting via XML_GetFeatureList().
1410        - Fixed headers for use from C++.
1411        - XML_GetCurrentLineNumber() and  XML_GetCurrentColumnNumber()
1412          now return unsigned integers.
1413        - Added XML_LARGE_SIZE switch to enable 64-bit integers for
1414          byte indexes and line/column numbers.
1415        - Updated to use libtool 1.5.22 (the most recent).
1416        - Added support for AmigaOS.
1417        - Some mostly minor bug fixes. SF issues include: #1006708,
1418          #1021776, #1023646, #1114960, #1156398, #1221160, #1271642.
1419
1420Release 1.95.8 Fri Jul 23 2004
1421        - Major new feature: suspend/resume.  Handlers can now request
1422          that a parse be suspended for later resumption or aborted
1423          altogether.  See "Temporarily Stopping Parsing" in the
1424          documentation for more details.
1425        - Some mostly minor bug fixes, but compilation should no
1426          longer generate warnings on most platforms.  SF issues
1427          include: #827319, #840173, #846309, #888329, #896188, #923913,
1428          #928113, #961698, #985192.
1429
1430Release 1.95.7 Mon Oct 20 2003
1431        - Fixed enum XML_Status issue (reported on SourceForge many
1432          times), so compilers that are properly picky will be happy.
1433        - Introduced an XMLCALL macro to control the calling
1434          convention used by the Expat API; this macro should be used
1435          to annotate prototypes and definitions of callback
1436          implementations in code compiled with a calling convention
1437          other than the default convention for the host platform.
1438        - Improved ability to build without the configure-generated
1439          expat_config.h header.  This is useful for applications
1440          which embed Expat rather than linking in the library.
1441        - Fixed a variety of bugs: see SF issues #458907, #609603,
1442          #676844, #679754, #692878, #692964, #695401, #699323, #699487,
1443          #820946.
1444        - Improved hash table lookups.
1445        - Added more regression tests and improved documentation.
1446
1447Release 1.95.6 Tue Jan 28 2003
1448        - Added XML_FreeContentModel().
1449        - Added XML_MemMalloc(), XML_MemRealloc(), XML_MemFree().
1450        - Fixed a variety of bugs: see SF issues #615606, #616863,
1451          #618199, #653180, #673791.
1452        - Enhanced the regression test suite.
1453        - Man page improvements: includes SF issue #632146.
1454
1455Release 1.95.5 Fri Sep 6 2002
1456        - Added XML_UseForeignDTD() for improved SAX2 support.
1457        - Added XML_GetFeatureList().
1458        - Defined XML_Bool type and the values XML_TRUE and XML_FALSE.
1459        - Use an incomplete struct instead of a void* for the parser
1460          (may not retain).
1461        - Fixed UTF-8 decoding bug that caused legal UTF-8 to be rejected.
1462        - Finally fixed bug where default handler would report DTD
1463          events that were already handled by another handler.
1464          Initial patch contributed by Darryl Miles.
1465        - Removed unnecessary DllMain() function that caused static
1466          linking into a DLL to be difficult.
1467        - Added VC++ projects for building static libraries.
1468        - Reduced line-length for all source code and headers to be
1469          no longer than 80 characters, to help with AS/400 support.
1470        - Reduced memory copying during parsing (SF patch #600964).
1471        - Fixed a variety of bugs: see SF issues #580793, #434664,
1472          #483514, #580503, #581069, #584041, #584183, #584832, #585537,
1473          #596555, #596678, #598352, #598944, #599715, #600479, #600971.
1474
1475Release 1.95.4 Fri Jul 12 2002
1476        - Added support for VMS, contributed by Craig Berry.  See
1477          vms/README.vms for more information.
1478        - Added Mac OS (classic) support, with a makefile for MPW,
1479          contributed by Thomas Wegner and Daryle Walker.
1480        - Added Borland C++ Builder 5 / BCC 5.5 support, contributed
1481          by Patrick McConnell (SF patch #538032).
1482        - Fixed a variety of bugs: see SF issues #441449, #563184,
1483          #564342, #566334, #566901, #569461, #570263, #575168, #579196.
1484        - Made skippedEntityHandler conform to SAX2 (see source comment)
1485        - Re-implemented WFC: Entity Declared from XML 1.0 spec and
1486          added a new error "entity declared in parameter entity":
1487          see SF bug report #569461 and SF patch #578161
1488        - Re-implemented section 5.1 from XML 1.0 spec:
1489          see SF bug report #570263 and SF patch #578161
1490
1491Release 1.95.3 Mon Jun 3 2002
1492        - Added a project to the MSVC workspace to create a wchar_t
1493          version of the library; the DLLs are named libexpatw.dll.
1494        - Changed the name of the Windows DLLs from expat.dll to
1495          libexpat.dll; this fixes SF bug #432456.
1496        - Added the XML_ParserReset() API function.
1497        - Fixed XML_SetReturnNSTriplet() to work for element names.
1498        - Made the XML_UNICODE builds usable (thanks, Karl!).
1499        - Allow xmlwf to read from standard input.
1500        - Install a man page for xmlwf on Unix systems.
1501        - Fixed many bugs; see SF bug reports #231864, #461380, #464837,
1502          #466885, #469226, #477667, #484419, #487840, #494749, #496505,
1503          #547350.  Other bugs which we can't test as easily may also
1504          have been fixed, especially in the area of build support.
1505
1506Release 1.95.2 Fri Jul 27 2001
1507        - More changes to make MSVC happy with the build; add a single
1508          workspace to support both the library and xmlwf application.
1509        - Added a Windows installer for Windows users; includes
1510          xmlwf.exe.
1511        - Added compile-time constants that can be used to determine the
1512          Expat version
1513        - Removed a lot of GNU-specific dependencies to aide portability
1514          among the various Unix flavors.
1515        - Fix the UTF-8 BOM bug.
1516        - Cleaned up warning messages for several compilers.
1517        - Added the -Wall, -Wstrict-prototypes options for GCC.
1518
1519Release 1.95.1 Sun Oct 22 15:11:36 EDT 2000
1520        - Changes to get expat to build under Microsoft compiler
1521        - Removed all aborts and instead return an UNEXPECTED_STATE error.
1522        - Fixed a bug where a stray '%' in an entity value would cause an
1523          abort.
1524        - Defined XML_SetEndNamespaceDeclHandler. Thanks to Darryl Miles for
1525          finding this oversight.
1526        - Changed default patterns in lib/Makefile.in to fit non-GNU makes
1527          Thanks to robin@unrated.net for reporting and providing an
1528          account to test on.
1529        - The reference had the wrong label for XML_SetStartNamespaceDecl.
1530          Reported by an anonymous user.
1531
1532Release 1.95.0 Fri Sep 29 2000
1533        - XML_ParserCreate_MM
1534                Allows you to set a memory management suite to replace the
1535                standard malloc,realloc, and free.
1536        - XML_SetReturnNSTriplet
1537                If you turn this feature on when namespace processing is in
1538                effect, then qualified, prefixed element and attribute names
1539                are returned as "uri|name|prefix" where '|' is whatever
1540                separator character is used in namespace processing.
1541        - Merged in features from perl-expat
1542                o XML_SetElementDeclHandler
1543                o XML_SetAttlistDeclHandler
1544                o XML_SetXmlDeclHandler
1545                o XML_SetEntityDeclHandler
1546                o StartDoctypeDeclHandler takes 3 additional parameters:
1547                        sysid, pubid, has_internal_subset
1548                o Many paired handler setters (like XML_SetElementHandler)
1549                  now have corresponding individual handler setters
1550                o XML_GetInputContext for getting the input context of
1551                  the current parse position.
1552        - Added reference material
1553        - Packaged into a distribution that builds a sharable library
1554