xref: /freebsd/contrib/expat/Changes (revision da5137abdf463bb5fee85061958a14dd12bc043e)
1NOTE: We are looking for help with a few things:
2      https://github.com/libexpat/libexpat/labels/help%20wanted
3      If you can help, please get in touch.  Thanks!
4
5Release 2.4.7 Fri March 4 2022
6        Bug fixes:
7       #572 #577  Relax fix to CVE-2022-25236 (introduced with release 2.4.5)
8                    with regard to all valid URI characters (RFC 3986),
9                    i.e. the following set (excluding whitespace):
10                    ABCDEFGHIJKLMNOPQRSTUVWXYZ abcdefghijklmnopqrstuvwxyz
11                    0123456789 % -._~ :/?#[]@ !$&'()*+,;=
12
13        Other changes:
14  #555 #570 #581  CMake|Windows: Store Expat version in the DLL
15            #577  Document consequences of namespace separator choices not just
16                    in doc/reference.html but also in header <expat.h>
17            #577  Document Expat's lack of validation of namespace URIs against
18                    RFC 3986, and that the XML 1.0r4 specification doesn't
19                    require Expat to validate namespace URIs, and that Expat
20                    may do more in that regard in future releases.
21                    If you find need for strict RFC 3986 URI validation on
22                    application level today, https://uriparser.github.io/ may
23                    be of interest.
24            #579  Fix documentation of XML_EndDoctypeDeclHandler in <expat.h>
25            #575  Document that a call to XML_FreeContentModel can be done at
26                    a later time from outside the element declaration handler
27            #574  Make hardcoded namespace URIs easier to find in code
28            #573  Update documentation on use of XML_POOR_ENTOPY on Solaris
29       #569 #571  tests: Resolve use of macros NAN and INFINITY for GNU G++
30                    4.8.2 on Solaris.
31       #578 #580  Version info bumped from 9:6:8 to 9:7:8;
32                    see https://verbump.de/ for what these numbers do
33
34        Special thanks to:
35            Jeffrey Walton
36            Johnny Jazeix
37            Thijs Schreijer
38
39Release 2.4.6 Sun February 20 2022
40        Bug fixes:
41            #566  Fix a regression introduced by the fix for CVE-2022-25313
42                    in release 2.4.5 that affects applications that (1)
43                    call function XML_SetElementDeclHandler and (2) are
44                    parsing XML that contains nested element declarations
45                    (e.g. "<!ELEMENT junk ((bar|foo|xyz+), zebra*)>").
46
47        Other changes:
48       #567 #568  Version info bumped from 9:5:8 to 9:6:8;
49                    see https://verbump.de/ for what these numbers do
50
51        Special thanks to:
52            Matt Sergeant
53            Samanta Navarro
54            Sergei Trofimovich
55                 and
56            NixOS
57            Perl XML::Parser
58
59Release 2.4.5 Fri February 18 2022
60        Security fixes:
61            #562  CVE-2022-25235 -- Passing malformed 2- and 3-byte UTF-8
62                    sequences (e.g. from start tag names) to the XML
63                    processing application on top of Expat can cause
64                    arbitrary damage (e.g. code execution) depending
65                    on how invalid UTF-8 is handled inside the XML
66                    processor; validation was not their job but Expat's.
67                    Exploits with code execution are known to exist.
68            #561  CVE-2022-25236 -- Passing (one or more) namespace separator
69                    characters in "xmlns[:prefix]" attribute values
70                    made Expat send malformed tag names to the XML
71                    processor on top of Expat which can cause
72                    arbitrary damage (e.g. code execution) depending
73                    on such unexpectable cases are handled inside the XML
74                    processor; validation was not their job but Expat's.
75                    Exploits with code execution are known to exist.
76            #558  CVE-2022-25313 -- Fix stack exhaustion in doctype parsing
77                    that could be triggered by e.g. a 2 megabytes
78                    file with a large number of opening braces.
79                    Expected impact is denial of service or potentially
80                    arbitrary code execution.
81            #560  CVE-2022-25314 -- Fix integer overflow in function copyString;
82                    only affects the encoding name parameter at parser creation
83                    time which is often hardcoded (rather than user input),
84                    takes a value in the gigabytes to trigger, and a 64-bit
85                    machine.  Expected impact is denial of service.
86            #559  CVE-2022-25315 -- Fix integer overflow in function storeRawNames;
87                    needs input in the gigabytes and a 64-bit machine.
88                    Expected impact is denial of service or potentially
89                    arbitrary code execution.
90
91        Other changes:
92       #557 #564  Version info bumped from 9:4:8 to 9:5:8;
93                    see https://verbump.de/ for what these numbers do
94
95        Special thanks to:
96            Ivan Fratric
97            Samanta Navarro
98                 and
99            Google Project Zero
100            JetBrains
101
102Release 2.4.4 Sun January 30 2022
103        Security fixes:
104            #550  CVE-2022-23852 -- Fix signed integer overflow
105                    (undefined behavior) in function XML_GetBuffer
106                    (that is also called by function XML_Parse internally)
107                    for when XML_CONTEXT_BYTES is defined to >0 (which is both
108                    common and default).
109                    Impact is denial of service or more.
110            #551  CVE-2022-23990 -- Fix unsigned integer overflow in function
111                    doProlog triggered by large content in element type
112                    declarations when there is an element declaration handler
113                    present (from a prior call to XML_SetElementDeclHandler).
114                    Impact is denial of service or more.
115
116        Bug fixes:
117       #544 #545  xmlwf: Fix a memory leak on output file opening error
118
119        Other changes:
120            #546  Autotools: Fix broken CMake support under Cygwin
121            #554  Windows: Add missing files to the installer to fix
122                    compilation with CMake from installed sources
123       #552 #554  Version info bumped from 9:3:8 to 9:4:8;
124                    see https://verbump.de/ for what these numbers do
125
126        Special thanks to:
127            Carlo Bramini
128            hwt0415
129            Roland Illig
130            Samanta Navarro
131                 and
132            Clang LeakSan and the Clang team
133
134Release 2.4.3 Sun January 16 2022
135        Security fixes:
136       #531 #534  CVE-2021-45960 -- Fix issues with left shifts by >=29 places
137                    resulting in
138                      a) realloc acting as free
139                      b) realloc allocating too few bytes
140                      c) undefined behavior
141                    depending on architecture and precise value
142                    for XML documents with >=2^27+1 prefixed attributes
143                    on a single XML tag a la
144                    "<r xmlns:a='[..]' a:a123='[..]' [..] />"
145                    where XML_ParserCreateNS is used to create the parser
146                    (which needs argument "-n" when running xmlwf).
147                    Impact is denial of service, or more.
148       #532 #538  CVE-2021-46143 (ZDI-CAN-16157) -- Fix integer overflow
149                    on variable m_groupSize in function doProlog leading
150                    to realloc acting as free.
151                    Impact is denial of service or more.
152            #539  CVE-2022-22822 to CVE-2022-22827 -- Prevent integer overflows
153                    near memory allocation at multiple places.  Mitre assigned
154                    a dedicated CVE for each involved internal C function:
155                    - CVE-2022-22822 for function addBinding
156                    - CVE-2022-22823 for function build_model
157                    - CVE-2022-22824 for function defineAttribute
158                    - CVE-2022-22825 for function lookup
159                    - CVE-2022-22826 for function nextScaffoldPart
160                    - CVE-2022-22827 for function storeAtts
161                    Impact is denial of service or more.
162
163        Other changes:
164            #535  CMake: Make call to file(GENERATE [..]) work for CMake <3.19
165            #541  Autotools|CMake: MinGW: Make run.sh(.in) work for Cygwin
166                    and MSYS2 by not going through Wine on these platforms
167       #527 #528  Address compiler warnings
168       #533 #543  Version info bumped from 9:2:8 to 9:3:8;
169                    see https://verbump.de/ for what these numbers do
170
171        Infrastructure:
172            #536  CI: Check for realistic minimum CMake version
173       #529 #539  CI: Cover compilation with -m32
174            #529  CI: Store coverage reports as artifacts for download
175            #528  CI: Upgrade Clang from 11 to 13
176
177        Special thanks to:
178            An anonymous whitehat
179            Christopher Degawa
180            J. Peter Mugaas
181            Tyson Smith
182                 and
183            GCC Farm Project
184            Trend Micro Zero Day Initiative
185
186Release 2.4.2 Sun December 19 2021
187        Other changes:
188       #509 #510  Link againgst libm for function "isnan"
189       #513 #514  Include expat_config.h as early as possible
190            #498  Autotools: Include files with release archives:
191                    - buildconf.sh
192                    - fuzz/*.c
193       #507 #519  Autotools: Sync CMake templates
194       #495 #524  CMake: MinGW: Fix pkg-config section "Libs" for
195                    - non-release build types (e.g. -DCMAKE_BUILD_TYPE=Debug)
196                    - multi-config CMake generators (e.g. Ninja Multi-Config)
197       #502 #503  docs: Document that function XML_GetBuffer may return NULL
198                    when asking for a buffer of 0 (zero) bytes size
199       #522 #523  docs: Fix return value docs for both
200                    XML_SetBillionLaughsAttackProtection* functions
201       #525 #526  Version info bumped from 9:1:8 to 9:2:8;
202                    see https://verbump.de/ for what these numbers do
203
204        Special thanks to:
205            Dong-hee Na
206            Joergen Ibsen
207            Kai Pastor
208
209Release 2.4.1 Sun May 23 2021
210        Bug fixes:
211       #488 #490  Autotools: Fix installed header expat_config.h for multilib
212                    systems; regression introduced in 2.4.0 by pull request #486
213
214        Other changes:
215       #491 #492  Version info bumped from 9:0:8 to 9:1:8;
216                    see https://verbump.de/ for what these numbers do
217
218        Special thanks to:
219            Gentoo's QA check "multilib_check_headers"
220
221Release 2.4.0 Sun May 23 2021
222        Security fixes:
223   #34 #466 #484  CVE-2013-0340/CWE-776 -- Protect against billion laughs attacks
224                    (denial-of-service; flavors targeting CPU time or RAM or both,
225                    leveraging general entities or parameter entities or both)
226                    by tracking and limiting the input amplification factor
227                    (<amplification> := (<direct> + <indirect>) / <direct>).
228                    By conservative default, amplification up to a factor of 100.0
229                    is tolerated and rejection only starts after 8 MiB of output bytes
230                    (=<direct> + <indirect>) have been processed.
231                    The fix adds the following to the API:
232                    - A new error code XML_ERROR_AMPLIFICATION_LIMIT_BREACH to
233                      signals this specific condition.
234                    - Two new API functions ..
235                      - XML_SetBillionLaughsAttackProtectionMaximumAmplification and
236                      - XML_SetBillionLaughsAttackProtectionActivationThreshold
237                      .. to further tighten billion laughs protection parameters
238                      when desired.  Please see file "doc/reference.html" for details.
239                      If you ever need to increase the defaults for non-attack XML
240                      payload, please file a bug report with libexpat.
241                    - Two new XML_FEATURE_* constants ..
242                      - that can be queried using the XML_GetFeatureList function, and
243                      - that are shown in "xmlwf -v" output.
244                    - Two new environment variable switches ..
245                      - EXPAT_ACCOUNTING_DEBUG=(0|1|2|3) and
246                      - EXPAT_ENTITY_DEBUG=(0|1)
247                      .. for runtime debugging of accounting and entity processing.
248                      Specific behavior of these values may change in the future.
249                    - Two new command line arguments "-a FACTOR" and "-b BYTES"
250                      for xmlwf to further tighten billion laughs protection
251                      parameters when desired.
252                      If you ever need to increase the defaults for non-attack XML
253                      payload, please file a bug report with libexpat.
254
255        Bug fixes:
256       #332 #470  For (non-default) compilation with -DEXPAT_MIN_SIZE=ON (CMake)
257                    or CPPFLAGS=-DXML_MIN_SIZE (GNU Autotools): Fix segfault
258                    for UTF-16 payloads containing CDATA sections.
259       #485 #486  Autotools: Fix generated CMake files for non-64bit and
260                    non-Linux platforms (e.g. macOS and MinGW in particular)
261                    that were introduced with release 2.3.0
262
263        Other changes:
264       #468 #469  xmlwf: Improve help output and the xmlwf man page
265            #463  xmlwf: Improve maintainability through some refactoring
266            #477  xmlwf: Fix man page DocBook validity
267       #458 #459  CMake: Support absolute paths for both CMAKE_INSTALL_LIBDIR
268                    and CMAKE_INSTALL_INCLUDEDIR
269       #471 #481  CMake: Add support for standard variable BUILD_SHARED_LIBS
270            #457  Unexpose symbol _INTERNAL_trim_to_complete_utf8_characters
271            #467  Resolve macro HAVE_EXPAT_CONFIG_H
272            #472  Delete unused legacy helper file "conftools/PrintPath"
273       #473 #483  Improve attribution
274  #464 #465 #477  doc/reference.html: Fix XHTML validity
275       #475 #478  doc/reference.html: Replace the 90s look by OK.css
276            #479  Version info bumped from 8:0:7 to 9:0:8
277                    due to addition of new symbols and error codes;
278                    see https://verbump.de/ for what these numbers do
279
280        Infrastructure:
281            #456  CI: Enable periodic runs
282            #457  CI: Start covering the list of exported symbols
283            #474  CI: Isolate coverage task
284       #476 #482  CI: Adapt to breaking changes in image "ubuntu-18.04"
285            #477  CI: Cover well-formedness and DocBook/XHTML validity
286                    of doc/reference.html and doc/xmlwf.xml
287
288        Special thanks to:
289            Dimitry Andric
290            Eero Helenius
291            Nick Wellnhofer
292            Rhodri James
293            Tomas Korbar
294            Yury Gribov
295                 and
296            Clang LeakSan
297            JetBrains
298            OSS-Fuzz
299
300Release 2.3.0 Thu March 25 2021
301        Bug fixes:
302            #438  When calling XML_ParseBuffer without a prior successful call to
303                    XML_GetBuffer as a user, no longer trigger undefined behavior
304                    (by adding an integer to a NULL pointer) but rather return
305                    XML_STATUS_ERROR and set the error code to (new) code
306                    XML_ERROR_NO_BUFFER. Found by UBSan (UndefinedBehaviorSanitizer)
307                    of Clang 11 (but not Clang 9).
308            #444  xmlwf: Exit status 2 was used for both:
309                    - malformed input files (documented) and
310                    - invalid command-line arguments (undocumented).
311                    The case of invalid command-line arguments now
312                    has its own exit status 4, resolving the ambiguity.
313
314        Other changes:
315            #439  xmlwf: Add argument -k to allow continuing after
316                    non-fatal errors
317            #439  xmlwf: Add section about exit status to the -h help output
318  #422 #426 #447  Windows: Drop support for Visual Studio <=14.0/2015
319            #434  Windows: CMake: Detect unsupported Visual Studio at
320                    configure time (rather than at compile time)
321       #382 #428  testrunner: Make verbose mode (argument "-v") report
322                    about passed tests, and make default mode report about
323                    failures, as well.
324            #442  CMake: Call "enable_language(CXX)" prior to tinkering
325                    with CMAKE_CXX_* variables
326            #448  Document use of libexpat from a CMake-based project
327            #451  Autotools: Install CMake files as generated by CMake 3.19.6
328                    so that users with "find_package(expat [..] CONFIG [..])"
329                    are served on distributions that are *not* using the CMake
330                    build system inside for libexpat packaging
331       #436 #437  Autotools: Drop obsolescent macro AC_HEADER_STDC
332       #450 #452  Autotools: Resolve use of obsolete macro AC_CONFIG_HEADER
333            #441  Address compiler warnings
334            #443  Version info bumped from 7:12:6 to 8:0:7
335                    due to addition of error code XML_ERROR_NO_BUFFER
336                    (see https://verbump.de/ for what these numbers do)
337
338        Infrastructure:
339       #435 #446  Replace Travis CI by GitHub Actions
340
341        Special thanks to:
342            Alexander Richardson
343            Oleksandr Popovych
344            Thomas Beutlich
345            Tim Bray
346                 and
347            Clang LeakSan, Clang 11 UBSan and the Clang team
348
349Release 2.2.10 Sat October 3 2020
350        Bug fixes:
351  #390 #395 #398  Fix undefined behavior during parsing caused by
352                    pointer arithmetic with NULL pointers
353       #404 #405  Fix reading uninitialized variable during parsing
354            #406  xmlwf: Add missing check for malloc NULL return
355
356        Other changes:
357            #396  Windows: Drop support for Visual Studio <=8.0/2005
358            #409  Windows: Add missing file "Changes" to the installer
359                    to fix compilation with CMake from installed sources
360            #403  xmlwf: Document exit codes in xmlwf manpage and
361                    exit with code 3 (rather than code 1) for output errors
362                    when used with "-d DIRECTORY"
363       #356 #359  MinGW: Provide declaration of rand_s for mingwrt <5.3.0
364       #383 #392  Autotools: Use -Werror while configure tests the compiler
365                    for supported compile flags to avoid false positives
366  #383 #393 #394  Autotools: Improve handling of user (C|CPP|CXX|LD)FLAGS,
367                    e.g. ensure that they have the last word over flags added
368                    while running ./configure
369            #360  CMake: Create libexpatw.{dll,so} and expatw.pc (with emphasis
370                    on suffix "w") with -DEXPAT_CHAR_TYPE=(ushort|wchar_t)
371            #360  CMake: Detect and deny unsupported build combinations
372                    involving -DEXPAT_CHAR_TYPE=(ushort|wchar_t)
373            #360  CMake: Install pre-compiled shipped xmlwf.1 manpage in case
374                    of -DEXPAT_BUILD_DOCS=OFF
375  #375 #380 #419  CMake: Fix use of Expat by means of add_subdirectory
376       #407 #408  CMake: Keep expat target name constant at "expat"
377                    (i.e. refrain from using the target name to control
378                    build artifact filenames)
379            #385  CMake: Fix compilation with -DEXPAT_SHARED_LIBS=OFF for
380                    Windows
381                  CMake: Expose man page compilation as target "xmlwf-manpage"
382       #413 #414  CMake: Introduce option EXPAT_BUILD_PKGCONFIG
383                    to control generation of pkg-config file "expat.pc"
384            #424  CMake: Add minimalistic support for building binary packages
385                    with CMake target "package"; based on CPack
386            #366  CMake: Add option -DEXPAT_OSSFUZZ_BUILD=(ON|OFF) with
387                    default OFF to build fuzzer code against OSS-Fuzz and
388                    related environment variable LIB_FUZZING_ENGINE
389            #354  Fix testsuite for -DEXPAT_DTD=OFF and -DEXPAT_NS=OFF, each
390    #354 #355 ..
391       #356 #412  Address compiler warnings
392       #368 #369  Address pngcheck warnings with doc/*.png images
393            #425  Version info bumped from 7:11:6 to 7:12:6
394
395        Special thanks to:
396            asavah
397            Ben Wagner
398            Bhargava Shastry
399            Frank Landgraf
400            Jeffrey Walton
401            Joe Orton
402            Kleber Tarcísio
403            Ma Lin
404            Maciej Sroczyński
405            Mohammed Khajapasha
406            Vadim Zeitlin
407                 and
408            Cppcheck 2.0 and the Cppcheck team
409
410Release 2.2.9 Wed September 25 2019
411        Other changes:
412                  examples: Drop executable bits from elements.c
413            #349  Windows: Change the name of the Windows DLLs from expat*.dll
414                    to libexpat*.dll once more (regression from 2.2.8, first
415                    fixed in 1.95.3, issue #61 on SourceForge today,
416                    was issue #432456 back then); needs a fix due
417                    case-insensitive file systems on Windows and the fact that
418                    Perl's XML::Parser::Expat compiles into Expat.dll.
419            #347  Windows: Only define _CRT_RAND_S if not defined
420                  Version info bumped from 7:10:6 to 7:11:6
421
422        Special thanks to:
423            Ben Wagner
424
425Release 2.2.8 Fri September 13 2019
426        Security fixes:
427       #317 #318  CVE-2019-15903 -- Fix heap overflow triggered by
428                    XML_GetCurrentLineNumber (or XML_GetCurrentColumnNumber),
429                    and deny internal entities closing the doctype;
430                    fixed in commit c20b758c332d9a13afbbb276d30db1d183a85d43
431
432        Bug fixes:
433            #240  Fix cases where XML_StopParser did not have any effect
434                    when called from inside of an end element handler
435            #341  xmlwf: Fix exit code for operation without "-d DIRECTORY";
436                    previously, only "-d DIRECTORY" would give you a proper
437                    exit code:
438                      # xmlwf -d . <<<'<not well-formed>' 2>/dev/null ; echo $?
439                      2
440                      # xmlwf <<<'<not well-formed>' 2>/dev/null ; echo $?
441                      0
442                    Now both cases return exit code 2.
443
444        Other changes:
445       #299 #302  Windows: Replace LoadLibrary hack to access
446                    unofficial API function SystemFunction036 (RtlGenRandom)
447                    by using official API function rand_s (needs WinXP+)
448            #325  Windows: Drop support for Visual Studio <=7.1/2003
449                    and document supported compilers in README.md
450            #286  Windows: Remove COM code from xmlwf; in case it turns
451                    out needed later, there will be a dedicated repository
452                    below https://github.com/libexpat/ for that code
453            #322  Windows: Remove explicit MSVC solution and project files.
454                    You can generate Visual Studio solution files through
455                    CMake, e.g.: cmake -G"Visual Studio 15 2017" .
456            #338  xmlwf: Make "xmlwf -h" help output more friendly
457            #339  examples: Improve elements.c
458       #244 #264  Autotools: Add argument --enable-xml-attr-info
459       #239 #301  Autotools: Add arguments
460                    --with-getrandom
461                    --without-getrandom
462                    --with-sys-getrandom
463                    --without-sys-getrandom
464       #312 #343  Autotools: Fix linking issues with "./configure LD=clang"
465                  Autotools: Fix "make run-xmltest" for out-of-source builds
466       #329 #336  CMake: Pull all options from Expat <=2.2.7 into namespace
467                    prefix EXPAT_ with the exception of DOCBOOK_TO_MAN:
468                    - BUILD_doc            -> EXPAT_BUILD_DOCS (plural)
469                    - BUILD_examples       -> EXPAT_BUILD_EXAMPLES
470                    - BUILD_shared         -> EXPAT_SHARED_LIBS
471                    - BUILD_tests          -> EXPAT_BUILD_TESTS
472                    - BUILD_tools          -> EXPAT_BUILD_TOOLS
473                    - DOCBOOK_TO_MAN       -> DOCBOOK_TO_MAN (unchanged)
474                    - INSTALL              -> EXPAT_ENABLE_INSTALL
475                    - MSVC_USE_STATIC_CRT  -> EXPAT_MSVC_STATIC_CRT
476                    - USE_libbsd           -> EXPAT_WITH_LIBBSD
477                    - WARNINGS_AS_ERRORS   -> EXPAT_WARNINGS_AS_ERRORS
478                    - XML_CONTEXT_BYTES    -> EXPAT_CONTEXT_BYTES
479                    - XML_DEV_URANDOM      -> EXPAT_DEV_URANDOM
480                    - XML_DTD              -> EXPAT_DTD
481                    - XML_NS               -> EXPAT_NS
482                    - XML_UNICODE          -> EXPAT_CHAR_TYPE=ushort (!)
483                    - XML_UNICODE_WCHAR_T  -> EXPAT_CHAR_TYPE=wchar_t (!)
484       #244 #264  CMake: Add argument -DEXPAT_ATTR_INFO=(ON|OFF),
485                    default OFF
486            #326  CMake: Add argument -DEXPAT_LARGE_SIZE=(ON|OFF),
487                    default OFF
488            #328  CMake: Add argument -DEXPAT_MIN_SIZE=(ON|OFF),
489                    default OFF
490       #239 #277  CMake: Add arguments
491                    -DEXPAT_WITH_GETRANDOM=(ON|OFF|AUTO), default AUTO
492                    -DEXPAT_WITH_SYS_GETRANDOM=(ON|OFF|AUTO), default AUTO
493            #326  CMake: Install expat_config.h to include directory
494            #326  CMake: Generate and install configuration files for
495                    future find_package(expat [..] CONFIG [..])
496                  CMake: Now produces a summary of applied configuration
497                  CMake: Require C++ compiler only when tests are enabled
498            #330  CMake: Fix compilation for 16bit character types,
499                    i.e. ex -DXML_UNICODE=ON (and ex -DXML_UNICODE_WCHAR_T=ON)
500            #265  CMake: Fix linking with MinGW
501            #330  CMake: Add full support for MinGW; to enable, use
502                    -DCMAKE_TOOLCHAIN_FILE=[expat]/cmake/mingw-toolchain.cmake
503            #330  CMake: Port "make run-xmltest" from GNU Autotools to CMake
504            #316  CMake: Windows: Make binary postfix match MSVC
505                    Old: expat[d].lib
506                    New: expat[w][d][MD|MT].lib
507                  CMake: Migrate files from Windows to Unix line endings
508            #308  CMake: Integrate OSS-Fuzz fuzzers, option
509                    -DEXPAT_BUILD_FUZZERS=(ON|OFF), default OFF
510             #14  Drop an OpenVMS support leftover
511    #235 #268 ..
512    #270 #310 ..
513  #313 #331 #333  Address compiler warnings
514    #282 #283 ..
515       #284 #285  Address cppcheck warnings
516       #294 #295  Address Clang Static Analyzer warnings
517        #24 #293  Mass-apply clang-format 9 (and ensure conformance during CI)
518                  Version info bumped from 7:9:6 to 7:10:6
519
520        Special thanks to:
521            David Loffredo
522            Joonun Jang
523            Kishore Kunche
524            Marco Maggi
525            Mitch Phillips
526            Mohammed Khajapasha
527            Rolf Ade
528            xantares
529            Zhongyuan Zhou
530
531Release 2.2.7 Wed June 19 2019
532        Security fixes:
533       #186 #262  CVE-2018-20843 -- Fix extraction of namespace prefixes from
534                    XML names; XML names with multiple colons could end up in
535                    the wrong namespace, and take a high amount of RAM and CPU
536                    resources while processing, opening the door to
537                    use for denial-of-service attacks
538
539        Other changes:
540       #195 #197  Autotools/CMake: Utilize -fvisibility=hidden to stop
541                    exporting non-API symbols
542            #227  Autotools: Add --without-examples and --without-tests
543            #228  Autotools: Modernize configure.ac
544       #245 #246  Autotools: Fix check for -fvisibility=hidden for Clang
545       #247 #248  Autotools: Fix compilation for lack of docbook2x-man
546       #236 #258  Autotools: Produce .tar.{gz,lz,xz} release archives
547            #212  CMake: Make libdir of pkgconfig expat.pc support multilib
548       #158 #263  CMake: Build man page in PROJECT_BINARY_DIR not _SOURCE_DIR
549            #219  Remove fallback to bcopy, assume that memmove(3) exists
550            #257  Use portable "/usr/bin/env bash" shebang (e.g. for OpenBSD)
551            #243  Windows: Fix syntax of .def module definition files
552                  Version info bumped from 7:8:6 to 7:9:6
553
554        Special thanks to:
555            Benjamin Peterson
556            Caolán McNamara
557            Hanno Böck
558            KangLin
559            Kishore Kunche
560            Marco Maggi
561            Rhodri James
562            Sebastian Dröge
563            userwithuid
564            Yury Gribov
565
566Release 2.2.6 Sun August 12 2018
567        Bug fixes:
568       #170 #206  Avoid doing arithmetic with NULL pointers in XML_GetBuffer
569       #204 #205  Fix 2.2.5 regression with suspend-resume while parsing
570                    a document like '<root/>'
571
572        Other changes:
573       #165 #168  Autotools: Fix docbook-related configure syntax error
574            #166  Autotools: Avoid grep option `-q` for Solaris
575            #167  Autotools: Support
576                    ./configure DOCBOOK_TO_MAN="xmlto man --skip-validation"
577       #159 #167  Autotools: Support DOCBOOK_TO_MAN command which produces
578                    xmlwf.1 rather than XMLWF.1; also covers case insensitive
579                    file systems
580            #181  Autotools: Drop -rpath option passed to libtool
581            #188  Autotools: Detect and deny SGML docbook2man as ours is XML
582            #188  Autotools/CMake: Support command db2x_docbook2man as well
583            #174  CMake: Introduce option WARNINGS_AS_ERRORS, defaults to OFF
584       #184 #185  CMake: Introduce option MSVC_USE_STATIC_CRT, defaults to OFF
585       #207 #208  CMake: Introduce option XML_UNICODE and XML_UNICODE_WCHAR_T,
586                    both defaulting to OFF
587            #175  CMake: Prefer check_symbol_exists over check_function_exists
588            #176  CMake: Create the same pkg-config file as with GNU Autotools
589       #178 #179  CMake: Use GNUInstallDirs module to set proper defaults for
590                    install directories
591            #208  CMake: Utilize expat_config.h.cmake for XML_DEV_URANDOM
592            #180  Windows: Fix compilation of test suite for Visual Studio 2008
593  #131 #173 #202  Address compiler warnings
594  #187 #190 #200  Fix miscellaneous typos
595                  Version info bumped from 7:7:6 to 7:8:6
596
597        Special thanks to:
598            Anton Maklakov
599            Benjamin Peterson
600            Brad King
601            Franek Korta
602            Frank Rast
603            Joe Orton
604            luzpaz
605            Pedro Vicente
606            Rainer Jung
607            Rhodri James
608            Rolf Ade
609            Rolf Eike Beer
610            Thomas Beutlich
611            Tomasz Kłoczko
612
613Release 2.2.5 Tue October 31 2017
614        Bug fixes:
615              #8  If the parser runs out of memory, make sure its internal
616                    state reflects the memory it actually has, not the memory
617                    it wanted to have.
618             #11  The default handler wasn't being called when it should for
619                    a SYSTEM or PUBLIC doctype if an entity declaration handler
620                    was registered.
621       #137 #138  Fix a case of mistakenly reported parsing success where
622                    XML_StopParser was called from an element handler
623            #162  Function XML_ErrorString was returning NULL rather than
624                    a message for code XML_ERROR_INVALID_ARGUMENT
625                    introduced with release 2.2.1
626
627        Other changes:
628            #106  xmlwf: Add argument -N adding notation declarations
629        #75 #106  Test suite: Resolve expected failure cases where xmlwf
630                    output was incomplete
631            #127  Windows: Fix test suite compilation
632       #126 #127  Windows: Fix compilation for Visual Studio 2012
633                  Windows: Upgrade shipped project files to Visual Studio 2017
634        #33 #132  tests: Mass-fix compilation for XML_UNICODE_WCHAR_T
635            #129  examples: Fix compilation for XML_UNICODE_WCHAR_T
636            #130  benchmark: Fix compilation for XML_UNICODE_WCHAR_T
637            #144  xmlwf: Fix compilation for XML_UNICODE_WCHAR_T; still needs
638                    Windows or MinGW for 2-byte wchar_t
639              #9  Address two Clang Static Analyzer false positives
640             #59  Resolve troublesome macros hiding parser struct membership
641                    and dereferencing that pointer
642              #6  Resolve superfluous internal malloc/realloc switch
643       #153 #155  Improve docbook2x-man detection
644            #160  Undefine NDEBUG in the test suite (rather than rejecting it)
645            #161  Address compiler warnings
646                  Version info bumped from 7:6:6 to 7:7:6
647
648        Special thanks to:
649            Benbuck Nason
650            Hans Wennborg
651            José Gutiérrez de la Concha
652            Pedro Monreal Gonzalez
653            Rhodri James
654            Rolf Ade
655            Stephen Groat
656                 and
657            Core Infrastructure Initiative
658
659Release 2.2.4 Sat August 19 2017
660        Bug fixes:
661            #115  Fix copying of partial characters for UTF-8 input
662
663        Other changes:
664            #109  Fix "make check" for non-x86 architectures that default
665                    to unsigned type char (-128..127 rather than 0..255)
666            #109  coverage.sh: Cover -funsigned-char
667                  Autotools: Introduce --without-xmlwf argument
668             #65  Autotools: Replace handwritten Makefile with GNU Automake
669             #43  CMake: Auto-detect high quality entropy extractors, add new
670                    option USE_libbsd=ON to use arc4random_buf of libbsd
671             #74  CMake: Add -fno-strict-aliasing only where supported
672            #114  CMake: Always honor manually set BUILD_* options
673            #114  CMake: Compile man page if docbook2x-man is available, only
674            #117  Include file tests/xmltest.log.expected in source tarball
675                    (required for "make run-xmltest")
676            #117  Include (existing) Visual Studio 2013 files in source tarball
677                  Improve test suite error output
678            #111  Fix some typos in documentation
679                  Version info bumped from 7:5:6 to 7:6:6
680
681        Special thanks to:
682            Jakub Wilk
683            Joe Orton
684            Lin Tian
685            Rolf Eike Beer
686
687Release 2.2.3 Wed August 2 2017
688        Security fixes:
689             #82  CVE-2017-11742 -- Windows: Fix DLL hijacking vulnerability
690                    using Steve Holme's LoadLibrary wrapper for/of cURL
691
692        Bug fixes:
693             #85  Fix a dangling pointer issue related to realloc
694
695        Other changes:
696                  Increase code coverage
697             #91  Linux: Allow getrandom to fail if nonblocking pool has not
698                    yet been initialized and read /dev/urandom then, instead.
699                    This is in line with what recent Python does.
700             #81  Pre-10.7/Lion macOS: Support entropy from arc4random
701             #86  Check that a UTF-16 encoding in an XML declaration has the
702                    right endianness
703        #4 #5 #7  Recover correctly when some reallocations fail
704                  Repair "./configure && make" for systems without any
705                    provider of high quality entropy
706                    and try reading /dev/urandom on those
707                  Ensure that user-defined character encodings have converter
708                    functions when they are needed
709                  Fix mis-leading description of argument -c in xmlwf.1
710                  Rely on macro HAVE_ARC4RANDOM_BUF (rather than __CloudABI__)
711                    for CloudABI
712            #100  Fix use of SIPHASH_MAIN in siphash.h
713             #23  Test suite: Fix memory leaks
714                  Version info bumped from 7:4:6 to 7:5:6
715
716        Special thanks to:
717            Chanho Park
718            Joe Orton
719            Pascal Cuoq
720            Rhodri James
721            Simon McVittie
722            Vadim Zeitlin
723            Viktor Szakats
724                 and
725            Core Infrastructure Initiative
726
727Release 2.2.2 Wed July 12 2017
728        Security fixes:
729             #43  Protect against compilation without any source of high
730                    quality entropy enabled, e.g. with CMake build system;
731                    commit ff0207e6076e9828e536b8d9cd45c9c92069b895
732             #60  Windows with _UNICODE:
733                    Unintended use of LoadLibraryW with a non-wide string
734                    resulted in failure to load advapi32.dll and degradation
735                    in quality of used entropy when compiled with _UNICODE for
736                    Windows; you can launch existing binaries with
737                    EXPAT_ENTROPY_DEBUG=1 in the environment to inspect the
738                    quality of entropy used during runtime; commits
739                    * 95b95032f907ef1cd17ee7a9a1768010a825d61d
740                    * 73a5a2e9c081f49f2d775cf7ced864158b68dc80
741   [MOX-006]      Fix non-NULL parser parameter validation in XML_Parse;
742                    resulted in NULL dereference, previously;
743                    commit ac256dafdffc9622ab0dc2c62fcecb0dfcfa71fe
744
745        Bug fixes:
746             #69  Fix improper use of unsigned long long integer literals
747
748        Other changes:
749             #73  Start requiring a C99 compiler
750             #49  Fix "==" Bashism in configure script
751             #50  Fix too eager getrandom detection for Debian GNU/kFreeBSD
752             #52    and macOS
753             #51  Address lack of stdint.h in Visual Studio 2003 to 2008
754             #58  Address compile warnings
755             #68  Fix "./buildconf.sh && ./configure" for some versions
756                    of Dash for /bin/sh
757             #72  CMake: Ease use of Expat in context of a parent project
758                    with multiple CMakeLists.txt files
759             #72  CMake: Resolve mistaken executable permissions
760             #76  Address compile warning with -DNDEBUG (not recommended!)
761             #77  Address compile warning about macro redefinition
762
763        Special thanks to:
764            Alexander Bluhm
765            Ben Boeckel
766            Cătălin Răceanu
767            Kerin Millar
768            László Böszörményi
769            S. P. Zeidler
770            Segev Finer
771            Václav Slavík
772            Victor Stinner
773            Viktor Szakats
774                 and
775            Radically Open Security
776
777Release 2.2.1 Sat June 17 2017
778        Security fixes:
779                  CVE-2017-9233 -- External entity infinite loop DoS
780                    Details: https://libexpat.github.io/doc/cve-2017-9233/
781                    Commit c4bf96bb51dd2a1b0e185374362ee136fe2c9d7f
782   [MOX-002]      CVE-2016-9063 -- Detect integer overflow; commit
783                    d4f735b88d9932bd5039df2335eefdd0723dbe20
784                    (Fixed version of existing downstream patches!)
785   (SF.net) #539  Fix regression from fix to CVE-2016-0718 cutting off
786                    longer tag names; commits
787                    * 896b6c1fd3b842f377d1b62135dccf0a579cf65d
788                    * af507cef2c93cb8d40062a0abe43a4f4e9158fb2
789             #16    * 0dbbf43fdb20f593ddf4fa1ff67288000dd4a7fd
790             #25  More integer overflow detection (function poolGrow); commits
791                    * 810b74e4703dcfdd8f404e3cb177d44684775143
792                    * 44178553f3539ce69d34abee77a05e879a7982ac
793   [MOX-002]      Detect overflow from len=INT_MAX call to XML_Parse; commits
794                    * 4be2cb5afcc018d996f34bbbce6374b7befad47f
795                    * 7e5b71b748491b6e459e5c9a1d090820f94544d8
796   [MOX-005] #30  Use high quality entropy for hash initialization:
797                    * arc4random_buf on BSD, systems with libbsd
798                      (when configured with --with-libbsd), CloudABI
799                    * RtlGenRandom on Windows XP / Server 2003 and later
800                    * getrandom on Linux 3.17+
801                    In a way, that's still part of CVE-2016-5300.
802                    https://github.com/libexpat/libexpat/pull/30/commits
803   [MOX-005]      For the low quality entropy extraction fallback code,
804                    the parser instance address can no longer leak, commit
805                    04ad658bd3079dd15cb60fc67087900f0ff4b083
806   [MOX-003]      Prevent use of uninitialised variable; commit
807   [MOX-004]        a4dc944f37b664a3ca7199c624a98ee37babdb4b
808                  Add missing parameter validation to public API functions
809                    and dedicated error code XML_ERROR_INVALID_ARGUMENT:
810   [MOX-006]        * NULL checks; commits
811                      * d37f74b2b7149a3a95a680c4c4cd2a451a51d60a (merge/many)
812                      * 9ed727064b675b7180c98cb3d4f75efba6966681
813                      * 6a747c837c50114dfa413994e07c0ba477be4534
814                    * Negative length (XML_Parse); commit
815   [MOX-002]          70db8d2538a10f4c022655d6895e4c3e78692e7f
816   [MOX-001] #35  Change hash algorithm to William Ahern's version of SipHash
817                    to go further with fixing CVE-2012-0876.
818                    https://github.com/libexpat/libexpat/pull/39/commits
819
820        Bug fixes:
821             #32  Fix sharing of hash salt across parsers;
822                    relevant where XML_ExternalEntityParserCreate is called
823                    prior to XML_Parse, in particular (e.g. FBReader)
824             #28  xmlwf: Auto-disable use of memory-mapping (and parsing
825                    as a single chunk) for files larger than ~1 GB (2^30 bytes)
826                    rather than failing with error "out of memory"
827              #3  Fix double free after malloc failure in DTD code; commit
828                    7ae9c3d3af433cd4defe95234eae7dc8ed15637f
829             #17  Fix memory leak on parser error for unbound XML attribute
830                    prefix with new namespaces defined in the same tag;
831                    found by Google's OSS-Fuzz; commits
832                    * 16f87daae5a16132e479e4f71862128c7a915c73
833                    * b47dbc9745932c160893d433220e462bd605f8cd
834                  xmlwf on Windows: Add missing calls to CloseHandle
835
836        New features:
837             #30  Introduced environment switch EXPAT_ENTROPY_DEBUG=1
838                    for runtime debugging of entropy extraction
839
840        Other changes:
841                  Increase code coverage
842             #33  Reject use of XML_UNICODE_WCHAR_T with sizeof(wchar_t) != 2;
843                    XML_UNICODE_WCHAR_T was never meant to be used outside
844                    of Windows; 4-byte wchar_t is common on Linux
845   (SF.net) #538  Start using -fno-strict-aliasing
846   (SF.net) #540  Support compilation against cloudlibc of CloudABI
847                  Allow MinGW cross-compilation
848   (SF.net) #534  CMake: Introduce option "BUILD_doc" (enabled by default)
849                    to bypass compilation of the xmlwf.1 man page
850   (SF.net)  pr2  CMake: Introduce option "INSTALL" (enabled by default)
851                    to bypass installation of expat files
852                  CMake: Fix ninja support
853                  Autotools: Add parameters --enable-xml-context [COUNT]
854                    and --disable-xml-context; default of context of 1024
855                    bytes enabled unchanged
856             #14  Drop AmigaOS 4.x code and includes
857             #14  Drop ancient build systems:
858                    * Borland C++ Builder
859                    * OpenVMS
860                    * Open Watcom
861                    * Visual Studio 6.0
862                    * Pre-X Mac OS (MPW Makefile)
863                    If you happen to rely on some of these, please get in
864                    touch for joining with maintenance.
865             #10  Move from WIN32 to _WIN32
866             #13  Fix "make run-xmltest" order instability
867                  Address compile warnings
868                  Bump version info from 7:2:6 to 7:3:6
869                  Add AUTHORS file
870
871        Infrastructure:
872              #1  Migrate from SourceForge to GitHub (except downloads):
873                    https://github.com/libexpat/
874              #1  Re-create http://libexpat.org/ project website
875                  Start utilizing Travis CI
876
877        Special thanks to:
878            Andy Wang
879            Don Lewis
880            Ed Schouten
881            Karl Waclawek
882            Pascal Cuoq
883            Rhodri James
884            Sergei Nikulov
885            Tobias Taschner
886            Viktor Szakats
887                 and
888            Core Infrastructure Initiative
889            Mozilla Foundation (MOSS Track 3: Secure Open Source)
890            Radically Open Security
891
892Release 2.2.0 Tue June 21 2016
893        Security fixes:
894            #537  CVE-2016-0718 -- Fix crash on malformed input
895                  CVE-2016-4472 -- Improve insufficient fix to CVE-2015-1283 /
896                                   CVE-2015-2716 introduced with Expat 2.1.1
897            #499  CVE-2016-5300 -- Use more entropy for hash initialization
898                                   than the original fix to CVE-2012-0876
899            #519  CVE-2012-6702 -- Resolve troublesome internal call to srand
900                                   that was introduced with Expat 2.1.0
901                                   when addressing CVE-2012-0876 (issue #496)
902
903        Bug fixes:
904                  Fix uninitialized reads of size 1
905                    (e.g. in little2_updatePosition)
906                  Fix detection of UTF-8 character boundaries
907
908        Other changes:
909            #532  Fix compilation for Visual Studio 2010 (keyword "C99")
910                  Autotools: Resolve use of "$<" to better support bmake
911                  Autotools: Add QA script "qa.sh" (and make target "qa")
912                  Autotools: Respect CXXFLAGS if given
913                  Autotools: Fix "make run-xmltest"
914                  Autotools: Have "make run-xmltest" check for expected output
915             p90  CMake: Fix static build (BUILD_shared=OFF) on Windows
916            #536  CMake: Add soversion, support -DNO_SONAME=yes to bypass
917            #323  CMake: Add suffix "d" to differentiate debug from release
918                  CMake: Define WIN32 with CMake on Windows
919                  Annotate memory allocators for GCC
920                  Address all currently known compile warnings
921                  Make sure that API symbols remain visible despite
922                    -fvisibility=hidden
923                  Remove executable flag from source files
924                  Resolve COMPILED_FROM_DSP in favor of WIN32
925
926        Special thanks to:
927            Björn Lindahl
928            Christian Heimes
929            Cristian Rodríguez
930            Daniel Krügler
931            Gustavo Grieco
932            Karl Waclawek
933            László Böszörményi
934            Marco Grassi
935            Pascal Cuoq
936            Sergei Nikulov
937            Thomas Beutlich
938            Warren Young
939            Yann Droneaud
940
941Release 2.1.1 Sat March 12 2016
942        Security fixes:
943            #582: CVE-2015-1283 - Multiple integer overflows in XML_GetBuffer
944
945        Bug fixes:
946            #502: Fix potential null pointer dereference
947            #520: Symbol XML_SetHashSalt was not exported
948            Output of "xmlwf -h" was incomplete
949
950        Other changes:
951            #503: Document behavior of calling XML_SetHashSalt with salt 0
952            Minor improvements to man page xmlwf(1)
953            Improvements to the experimental CMake build system
954            libtool now invoked with --verbose
955
956Release 2.1.0 Sat March 24 2012
957        - Security fixes:
958          #2958794: CVE-2012-1148 - Memory leak in poolGrow.
959          #2895533: CVE-2012-1147 - Resource leak in readfilemap.c.
960          #3496608: CVE-2012-0876 - Hash DOS attack.
961          #2894085: CVE-2009-3560 - Buffer over-read and crash in big2_toUtf8().
962          #1990430: CVE-2009-3720 - Parser crash with special UTF-8 sequences.
963        - Bug Fixes:
964          #1742315: Harmful XML_ParserCreateNS suggestion.
965          #1785430: Expat build fails on linux-amd64 with gcc version>=4.1 -O3.
966          #1983953, 2517952, 2517962, 2649838:
967                Build modifications using autoreconf instead of buildconf.sh.
968          #2815947, #2884086: OBJEXT and EXEEXT support while building.
969          #2517938: xmlwf should return non-zero exit status if not well-formed.
970          #2517946: Wrong statement about XMLDecl in xmlwf.1 and xmlwf.sgml.
971          #2855609: Dangling positionPtr after error.
972          #2990652: CMake support.
973          #3010819: UNEXPECTED_STATE with a trailing "%" in entity value.
974          #3206497: Uninitialized memory returned from XML_Parse.
975          #3287849: make check fails on mingw-w64.
976        - Patches:
977          #1749198: pkg-config support.
978          #3010222: Fix for bug #3010819.
979          #3312568: CMake support.
980          #3446384: Report byte offsets for attr names and values.
981        - New Features / API changes:
982          Added new API member XML_SetHashSalt() that allows setting an initial
983                value (salt) for hash calculations. This is part of the fix for
984                bug #3496608 to randomize hash parameters.
985          When compiled with XML_ATTR_INFO defined, adds new API member
986                XML_GetAttributeInfo() that allows retrieving the byte
987                offsets for attribute names and values (patch #3446384).
988          Added CMake build system.
989                See bug #2990652 and patch #3312568.
990          Added run-benchmark target to Makefile.in - relies on testdata module
991                present in the same relative location as in the repository.
992
993Release 2.0.1 Tue June 5 2007
994        - Fixed bugs #1515266, #1515600: The character data handler's calling
995          of XML_StopParser() was not handled properly; if the parser was
996          stopped and the handler set to NULL, the parser would segfault.
997        - Fixed bug #1690883: Expat failed on EBCDIC systems as it assumed
998          some character constants to be ASCII encoded.
999        - Minor cleanups of the test harness.
1000        - Fixed xmlwf bug #1513566: "out of memory" error on file size zero.
1001        - Fixed outline.c bug #1543233: missing a final XML_ParserFree() call.
1002        - Fixes and improvements for Windows platform:
1003          bugs #1409451, #1476160, #1548182, #1602769, #1717322.
1004        - Build fixes for various platforms:
1005          HP-UX, Tru64, Solaris 9: patch #1437840, bug #1196180.
1006          All Unix: #1554618 (refreshed config.sub/config.guess).
1007                    #1490371, #1613457: support both, DESTDIR and INSTALL_ROOT,
1008                    without relying on GNU-Make specific features.
1009          #1647805: Patched configure.in to work better with Intel compiler.
1010        - Fixes to Makefile.in to have make check work correctly:
1011          bugs #1408143, #1535603, #1536684.
1012        - Added Open Watcom support: patch #1523242.
1013
1014Release 2.0.0 Wed Jan 11 2006
1015        - We no longer use the "check" library for C unit testing; we
1016          always use the (partial) internal implementation of the API.
1017        - Report XML_NS setting via XML_GetFeatureList().
1018        - Fixed headers for use from C++.
1019        - XML_GetCurrentLineNumber() and  XML_GetCurrentColumnNumber()
1020          now return unsigned integers.
1021        - Added XML_LARGE_SIZE switch to enable 64-bit integers for
1022          byte indexes and line/column numbers.
1023        - Updated to use libtool 1.5.22 (the most recent).
1024        - Added support for AmigaOS.
1025        - Some mostly minor bug fixes. SF issues include: #1006708,
1026          #1021776, #1023646, #1114960, #1156398, #1221160, #1271642.
1027
1028Release 1.95.8 Fri Jul 23 2004
1029        - Major new feature: suspend/resume.  Handlers can now request
1030          that a parse be suspended for later resumption or aborted
1031          altogether.  See "Temporarily Stopping Parsing" in the
1032          documentation for more details.
1033        - Some mostly minor bug fixes, but compilation should no
1034          longer generate warnings on most platforms.  SF issues
1035          include: #827319, #840173, #846309, #888329, #896188, #923913,
1036          #928113, #961698, #985192.
1037
1038Release 1.95.7 Mon Oct 20 2003
1039        - Fixed enum XML_Status issue (reported on SourceForge many
1040          times), so compilers that are properly picky will be happy.
1041        - Introduced an XMLCALL macro to control the calling
1042          convention used by the Expat API; this macro should be used
1043          to annotate prototypes and definitions of callback
1044          implementations in code compiled with a calling convention
1045          other than the default convention for the host platform.
1046        - Improved ability to build without the configure-generated
1047          expat_config.h header.  This is useful for applications
1048          which embed Expat rather than linking in the library.
1049        - Fixed a variety of bugs: see SF issues #458907, #609603,
1050          #676844, #679754, #692878, #692964, #695401, #699323, #699487,
1051          #820946.
1052        - Improved hash table lookups.
1053        - Added more regression tests and improved documentation.
1054
1055Release 1.95.6 Tue Jan 28 2003
1056        - Added XML_FreeContentModel().
1057        - Added XML_MemMalloc(), XML_MemRealloc(), XML_MemFree().
1058        - Fixed a variety of bugs: see SF issues #615606, #616863,
1059          #618199, #653180, #673791.
1060        - Enhanced the regression test suite.
1061        - Man page improvements: includes SF issue #632146.
1062
1063Release 1.95.5 Fri Sep 6 2002
1064        - Added XML_UseForeignDTD() for improved SAX2 support.
1065        - Added XML_GetFeatureList().
1066        - Defined XML_Bool type and the values XML_TRUE and XML_FALSE.
1067        - Use an incomplete struct instead of a void* for the parser
1068          (may not retain).
1069        - Fixed UTF-8 decoding bug that caused legal UTF-8 to be rejected.
1070        - Finally fixed bug where default handler would report DTD
1071          events that were already handled by another handler.
1072          Initial patch contributed by Darryl Miles.
1073        - Removed unnecessary DllMain() function that caused static
1074          linking into a DLL to be difficult.
1075        - Added VC++ projects for building static libraries.
1076        - Reduced line-length for all source code and headers to be
1077          no longer than 80 characters, to help with AS/400 support.
1078        - Reduced memory copying during parsing (SF patch #600964).
1079        - Fixed a variety of bugs: see SF issues #580793, #434664,
1080          #483514, #580503, #581069, #584041, #584183, #584832, #585537,
1081          #596555, #596678, #598352, #598944, #599715, #600479, #600971.
1082
1083Release 1.95.4 Fri Jul 12 2002
1084        - Added support for VMS, contributed by Craig Berry.  See
1085          vms/README.vms for more information.
1086        - Added Mac OS (classic) support, with a makefile for MPW,
1087          contributed by Thomas Wegner and Daryle Walker.
1088        - Added Borland C++ Builder 5 / BCC 5.5 support, contributed
1089          by Patrick McConnell (SF patch #538032).
1090        - Fixed a variety of bugs: see SF issues #441449, #563184,
1091          #564342, #566334, #566901, #569461, #570263, #575168, #579196.
1092        - Made skippedEntityHandler conform to SAX2 (see source comment)
1093        - Re-implemented WFC: Entity Declared from XML 1.0 spec and
1094          added a new error "entity declared in parameter entity":
1095          see SF bug report #569461 and SF patch #578161
1096        - Re-implemented section 5.1 from XML 1.0 spec:
1097          see SF bug report #570263 and SF patch #578161
1098
1099Release 1.95.3 Mon Jun 3 2002
1100        - Added a project to the MSVC workspace to create a wchar_t
1101          version of the library; the DLLs are named libexpatw.dll.
1102        - Changed the name of the Windows DLLs from expat.dll to
1103          libexpat.dll; this fixes SF bug #432456.
1104        - Added the XML_ParserReset() API function.
1105        - Fixed XML_SetReturnNSTriplet() to work for element names.
1106        - Made the XML_UNICODE builds usable (thanks, Karl!).
1107        - Allow xmlwf to read from standard input.
1108        - Install a man page for xmlwf on Unix systems.
1109        - Fixed many bugs; see SF bug reports #231864, #461380, #464837,
1110          #466885, #469226, #477667, #484419, #487840, #494749, #496505,
1111          #547350.  Other bugs which we can't test as easily may also
1112          have been fixed, especially in the area of build support.
1113
1114Release 1.95.2 Fri Jul 27 2001
1115        - More changes to make MSVC happy with the build; add a single
1116          workspace to support both the library and xmlwf application.
1117        - Added a Windows installer for Windows users; includes
1118          xmlwf.exe.
1119        - Added compile-time constants that can be used to determine the
1120          Expat version
1121        - Removed a lot of GNU-specific dependencies to aide portability
1122          among the various Unix flavors.
1123        - Fix the UTF-8 BOM bug.
1124        - Cleaned up warning messages for several compilers.
1125        - Added the -Wall, -Wstrict-prototypes options for GCC.
1126
1127Release 1.95.1 Sun Oct 22 15:11:36 EDT 2000
1128        - Changes to get expat to build under Microsoft compiler
1129        - Removed all aborts and instead return an UNEXPECTED_STATE error.
1130        - Fixed a bug where a stray '%' in an entity value would cause an
1131          abort.
1132        - Defined XML_SetEndNamespaceDeclHandler. Thanks to Darryl Miles for
1133          finding this oversight.
1134        - Changed default patterns in lib/Makefile.in to fit non-GNU makes
1135          Thanks to robin@unrated.net for reporting and providing an
1136          account to test on.
1137        - The reference had the wrong label for XML_SetStartNamespaceDecl.
1138          Reported by an anonymous user.
1139
1140Release 1.95.0 Fri Sep 29 2000
1141        - XML_ParserCreate_MM
1142                Allows you to set a memory management suite to replace the
1143                standard malloc,realloc, and free.
1144        - XML_SetReturnNSTriplet
1145                If you turn this feature on when namespace processing is in
1146                effect, then qualified, prefixed element and attribute names
1147                are returned as "uri|name|prefix" where '|' is whatever
1148                separator character is used in namespace processing.
1149        - Merged in features from perl-expat
1150                o XML_SetElementDeclHandler
1151                o XML_SetAttlistDeclHandler
1152                o XML_SetXmlDeclHandler
1153                o XML_SetEntityDeclHandler
1154                o StartDoctypeDeclHandler takes 3 additional parameters:
1155                        sysid, pubid, has_internal_subset
1156                o Many paired handler setters (like XML_SetElementHandler)
1157                  now have corresponding individual handler setters
1158                o XML_GetInputContext for getting the input context of
1159                  the current parse position.
1160        - Added reference material
1161        - Packaged into a distribution that builds a sharable library
1162