1NOTE: We are looking for help with a few things: 2 https://github.com/libexpat/libexpat/labels/help%20wanted 3 If you can help, please get in touch. Thanks! 4 5Release 2.4.9 Tue September 20 2022 6 Security fixes: 7 #629 #640 CVE-2022-40674 -- Heap use-after-free vulnerability in 8 function doContent. Expected impact is denial of service 9 or potentially arbitrary code execution. 10 11 Bug fixes: 12 #634 MinGW: Fix mis-compilation for -D__USE_MINGW_ANSI_STDIO=0 13 #614 docs: Fix documentation on effect of switch XML_DTD on 14 symbol visibility in doc/reference.html 15 16 Other changes: 17 #638 MinGW: Make fix-xmltest-log.sh drop more Wine bug output 18 #596 #625 Autotools: Sync CMake templates with CMake 3.22 19 #608 CMake: Migrate from use of CMAKE_*_POSTFIX to 20 dedicated variables EXPAT_*_POSTFIX to stop affecting 21 other projects 22 #597 #599 Windows|CMake: Add missing -DXML_STATIC to test runners 23 and fuzzers 24 #512 #621 Windows|CMake: Render .def file from a template to fix 25 linking with -DEXPAT_DTD=OFF and/or -DEXPAT_ATTR_INFO=ON 26 #611 #621 MinGW|CMake: Apply MSVC .def file when linking 27 #622 #624 MinGW|CMake: Sync library name with GNU Autotools, 28 i.e. produce libexpat-1.dll rather than libexpat.dll 29 by default. Filename libexpat.dll.a is unaffected. 30 #632 MinGW|CMake: Set missing variable CMAKE_RC_COMPILER in 31 toolchain file "cmake/mingw-toolchain.cmake" to avoid 32 error "windres: Command not found" on e.g. Ubuntu 20.04 33 #597 #627 CMake: Unify inconsistent use of set() and option() in 34 context of public build time options to take need for 35 set(.. FORCE) in projects using Expat by means of 36 add_subdirectory(..) off Expat's users' shoulders 37 #626 #641 Stop exporting API symbols when building a static library 38 #644 Resolve use of deprecated "fgrep" by "grep -F" 39 #620 CMake: Make documentation on variables a bit more consistent 40 #636 CMake: Drop leading whitespace from a #cmakedefine line in 41 file expat_config.h.cmake 42 #594 xmlwf: Fix harmless variable mix-up in function nsattcmp 43 #592 #593 #610 Address Cppcheck warnings 44 #643 Address Clang 15 compiler warnings 45 #642 #644 Version info bumped from 9:8:8 to 9:9:8; 46 see https://verbump.de/ for what these numbers do 47 48 Infrastructure: 49 #597 #598 CI: Windows: Start covering MSVC 2022 50 #619 CI: macOS: Migrate off deprecated macOS 10.15 51 #632 CI: Linux: Make migration off deprecated Ubuntu 18.04 work 52 #643 CI: Upgrade Clang from 14 to 15 53 #637 apply-clang-format.sh: Add support for BSD find 54 #633 coverage.sh: Exclude MinGW headers 55 #635 coverage.sh: Fix name collision for -funsigned-char 56 57 Special thanks to: 58 David Faure 59 Felix Wilhelm 60 Frank Bergmann 61 Rhodri James 62 Rosen Penev 63 Thijs Schreijer 64 Vincent Torri 65 and 66 Google Project Zero 67 68Release 2.4.8 Mon March 28 2022 69 Other changes: 70 #587 pkg-config: Move "-lm" to section "Libs.private" 71 #587 CMake|MSVC: Fix pkg-config section "Libs" 72 #55 #582 CMake|macOS: Start using linker arguments 73 "-compatibility_version <version>" and 74 "-current_version <version>" in a way compatible with 75 GNU Libtool 76 #590 #591 Version info bumped from 9:7:8 to 9:8:8; 77 see https://verbump.de/ for what these numbers do 78 79 Infrastructure: 80 #589 CI: Upgrade Clang from 13 to 14 81 82 Special thanks to: 83 evpobr 84 Kai Pastor 85 Sam James 86 87Release 2.4.7 Fri March 4 2022 88 Bug fixes: 89 #572 #577 Relax fix to CVE-2022-25236 (introduced with release 2.4.5) 90 with regard to all valid URI characters (RFC 3986), 91 i.e. the following set (excluding whitespace): 92 ABCDEFGHIJKLMNOPQRSTUVWXYZ abcdefghijklmnopqrstuvwxyz 93 0123456789 % -._~ :/?#[]@ !$&'()*+,;= 94 95 Other changes: 96 #555 #570 #581 CMake|Windows: Store Expat version in the DLL 97 #577 Document consequences of namespace separator choices not just 98 in doc/reference.html but also in header <expat.h> 99 #577 Document Expat's lack of validation of namespace URIs against 100 RFC 3986, and that the XML 1.0r4 specification doesn't 101 require Expat to validate namespace URIs, and that Expat 102 may do more in that regard in future releases. 103 If you find need for strict RFC 3986 URI validation on 104 application level today, https://uriparser.github.io/ may 105 be of interest. 106 #579 Fix documentation of XML_EndDoctypeDeclHandler in <expat.h> 107 #575 Document that a call to XML_FreeContentModel can be done at 108 a later time from outside the element declaration handler 109 #574 Make hardcoded namespace URIs easier to find in code 110 #573 Update documentation on use of XML_POOR_ENTOPY on Solaris 111 #569 #571 tests: Resolve use of macros NAN and INFINITY for GNU G++ 112 4.8.2 on Solaris. 113 #578 #580 Version info bumped from 9:6:8 to 9:7:8; 114 see https://verbump.de/ for what these numbers do 115 116 Special thanks to: 117 Jeffrey Walton 118 Johnny Jazeix 119 Thijs Schreijer 120 121Release 2.4.6 Sun February 20 2022 122 Bug fixes: 123 #566 Fix a regression introduced by the fix for CVE-2022-25313 124 in release 2.4.5 that affects applications that (1) 125 call function XML_SetElementDeclHandler and (2) are 126 parsing XML that contains nested element declarations 127 (e.g. "<!ELEMENT junk ((bar|foo|xyz+), zebra*)>"). 128 129 Other changes: 130 #567 #568 Version info bumped from 9:5:8 to 9:6:8; 131 see https://verbump.de/ for what these numbers do 132 133 Special thanks to: 134 Matt Sergeant 135 Samanta Navarro 136 Sergei Trofimovich 137 and 138 NixOS 139 Perl XML::Parser 140 141Release 2.4.5 Fri February 18 2022 142 Security fixes: 143 #562 CVE-2022-25235 -- Passing malformed 2- and 3-byte UTF-8 144 sequences (e.g. from start tag names) to the XML 145 processing application on top of Expat can cause 146 arbitrary damage (e.g. code execution) depending 147 on how invalid UTF-8 is handled inside the XML 148 processor; validation was not their job but Expat's. 149 Exploits with code execution are known to exist. 150 #561 CVE-2022-25236 -- Passing (one or more) namespace separator 151 characters in "xmlns[:prefix]" attribute values 152 made Expat send malformed tag names to the XML 153 processor on top of Expat which can cause 154 arbitrary damage (e.g. code execution) depending 155 on such unexpectable cases are handled inside the XML 156 processor; validation was not their job but Expat's. 157 Exploits with code execution are known to exist. 158 #558 CVE-2022-25313 -- Fix stack exhaustion in doctype parsing 159 that could be triggered by e.g. a 2 megabytes 160 file with a large number of opening braces. 161 Expected impact is denial of service or potentially 162 arbitrary code execution. 163 #560 CVE-2022-25314 -- Fix integer overflow in function copyString; 164 only affects the encoding name parameter at parser creation 165 time which is often hardcoded (rather than user input), 166 takes a value in the gigabytes to trigger, and a 64-bit 167 machine. Expected impact is denial of service. 168 #559 CVE-2022-25315 -- Fix integer overflow in function storeRawNames; 169 needs input in the gigabytes and a 64-bit machine. 170 Expected impact is denial of service or potentially 171 arbitrary code execution. 172 173 Other changes: 174 #557 #564 Version info bumped from 9:4:8 to 9:5:8; 175 see https://verbump.de/ for what these numbers do 176 177 Special thanks to: 178 Ivan Fratric 179 Samanta Navarro 180 and 181 Google Project Zero 182 JetBrains 183 184Release 2.4.4 Sun January 30 2022 185 Security fixes: 186 #550 CVE-2022-23852 -- Fix signed integer overflow 187 (undefined behavior) in function XML_GetBuffer 188 (that is also called by function XML_Parse internally) 189 for when XML_CONTEXT_BYTES is defined to >0 (which is both 190 common and default). 191 Impact is denial of service or more. 192 #551 CVE-2022-23990 -- Fix unsigned integer overflow in function 193 doProlog triggered by large content in element type 194 declarations when there is an element declaration handler 195 present (from a prior call to XML_SetElementDeclHandler). 196 Impact is denial of service or more. 197 198 Bug fixes: 199 #544 #545 xmlwf: Fix a memory leak on output file opening error 200 201 Other changes: 202 #546 Autotools: Fix broken CMake support under Cygwin 203 #554 Windows: Add missing files to the installer to fix 204 compilation with CMake from installed sources 205 #552 #554 Version info bumped from 9:3:8 to 9:4:8; 206 see https://verbump.de/ for what these numbers do 207 208 Special thanks to: 209 Carlo Bramini 210 hwt0415 211 Roland Illig 212 Samanta Navarro 213 and 214 Clang LeakSan and the Clang team 215 216Release 2.4.3 Sun January 16 2022 217 Security fixes: 218 #531 #534 CVE-2021-45960 -- Fix issues with left shifts by >=29 places 219 resulting in 220 a) realloc acting as free 221 b) realloc allocating too few bytes 222 c) undefined behavior 223 depending on architecture and precise value 224 for XML documents with >=2^27+1 prefixed attributes 225 on a single XML tag a la 226 "<r xmlns:a='[..]' a:a123='[..]' [..] />" 227 where XML_ParserCreateNS is used to create the parser 228 (which needs argument "-n" when running xmlwf). 229 Impact is denial of service, or more. 230 #532 #538 CVE-2021-46143 (ZDI-CAN-16157) -- Fix integer overflow 231 on variable m_groupSize in function doProlog leading 232 to realloc acting as free. 233 Impact is denial of service or more. 234 #539 CVE-2022-22822 to CVE-2022-22827 -- Prevent integer overflows 235 near memory allocation at multiple places. Mitre assigned 236 a dedicated CVE for each involved internal C function: 237 - CVE-2022-22822 for function addBinding 238 - CVE-2022-22823 for function build_model 239 - CVE-2022-22824 for function defineAttribute 240 - CVE-2022-22825 for function lookup 241 - CVE-2022-22826 for function nextScaffoldPart 242 - CVE-2022-22827 for function storeAtts 243 Impact is denial of service or more. 244 245 Other changes: 246 #535 CMake: Make call to file(GENERATE [..]) work for CMake <3.19 247 #541 Autotools|CMake: MinGW: Make run.sh(.in) work for Cygwin 248 and MSYS2 by not going through Wine on these platforms 249 #527 #528 Address compiler warnings 250 #533 #543 Version info bumped from 9:2:8 to 9:3:8; 251 see https://verbump.de/ for what these numbers do 252 253 Infrastructure: 254 #536 CI: Check for realistic minimum CMake version 255 #529 #539 CI: Cover compilation with -m32 256 #529 CI: Store coverage reports as artifacts for download 257 #528 CI: Upgrade Clang from 11 to 13 258 259 Special thanks to: 260 An anonymous whitehat 261 Christopher Degawa 262 J. Peter Mugaas 263 Tyson Smith 264 and 265 GCC Farm Project 266 Trend Micro Zero Day Initiative 267 268Release 2.4.2 Sun December 19 2021 269 Other changes: 270 #509 #510 Link againgst libm for function "isnan" 271 #513 #514 Include expat_config.h as early as possible 272 #498 Autotools: Include files with release archives: 273 - buildconf.sh 274 - fuzz/*.c 275 #507 #519 Autotools: Sync CMake templates with CMake 3.20 276 #495 #524 CMake: MinGW: Fix pkg-config section "Libs" for 277 - non-release build types (e.g. -DCMAKE_BUILD_TYPE=Debug) 278 - multi-config CMake generators (e.g. Ninja Multi-Config) 279 #502 #503 docs: Document that function XML_GetBuffer may return NULL 280 when asking for a buffer of 0 (zero) bytes size 281 #522 #523 docs: Fix return value docs for both 282 XML_SetBillionLaughsAttackProtection* functions 283 #525 #526 Version info bumped from 9:1:8 to 9:2:8; 284 see https://verbump.de/ for what these numbers do 285 286 Special thanks to: 287 Dong-hee Na 288 Joergen Ibsen 289 Kai Pastor 290 291Release 2.4.1 Sun May 23 2021 292 Bug fixes: 293 #488 #490 Autotools: Fix installed header expat_config.h for multilib 294 systems; regression introduced in 2.4.0 by pull request #486 295 296 Other changes: 297 #491 #492 Version info bumped from 9:0:8 to 9:1:8; 298 see https://verbump.de/ for what these numbers do 299 300 Special thanks to: 301 Gentoo's QA check "multilib_check_headers" 302 303Release 2.4.0 Sun May 23 2021 304 Security fixes: 305 #34 #466 #484 CVE-2013-0340/CWE-776 -- Protect against billion laughs attacks 306 (denial-of-service; flavors targeting CPU time or RAM or both, 307 leveraging general entities or parameter entities or both) 308 by tracking and limiting the input amplification factor 309 (<amplification> := (<direct> + <indirect>) / <direct>). 310 By conservative default, amplification up to a factor of 100.0 311 is tolerated and rejection only starts after 8 MiB of output bytes 312 (=<direct> + <indirect>) have been processed. 313 The fix adds the following to the API: 314 - A new error code XML_ERROR_AMPLIFICATION_LIMIT_BREACH to 315 signals this specific condition. 316 - Two new API functions .. 317 - XML_SetBillionLaughsAttackProtectionMaximumAmplification and 318 - XML_SetBillionLaughsAttackProtectionActivationThreshold 319 .. to further tighten billion laughs protection parameters 320 when desired. Please see file "doc/reference.html" for details. 321 If you ever need to increase the defaults for non-attack XML 322 payload, please file a bug report with libexpat. 323 - Two new XML_FEATURE_* constants .. 324 - that can be queried using the XML_GetFeatureList function, and 325 - that are shown in "xmlwf -v" output. 326 - Two new environment variable switches .. 327 - EXPAT_ACCOUNTING_DEBUG=(0|1|2|3) and 328 - EXPAT_ENTITY_DEBUG=(0|1) 329 .. for runtime debugging of accounting and entity processing. 330 Specific behavior of these values may change in the future. 331 - Two new command line arguments "-a FACTOR" and "-b BYTES" 332 for xmlwf to further tighten billion laughs protection 333 parameters when desired. 334 If you ever need to increase the defaults for non-attack XML 335 payload, please file a bug report with libexpat. 336 337 Bug fixes: 338 #332 #470 For (non-default) compilation with -DEXPAT_MIN_SIZE=ON (CMake) 339 or CPPFLAGS=-DXML_MIN_SIZE (GNU Autotools): Fix segfault 340 for UTF-16 payloads containing CDATA sections. 341 #485 #486 Autotools: Fix generated CMake files for non-64bit and 342 non-Linux platforms (e.g. macOS and MinGW in particular) 343 that were introduced with release 2.3.0 344 345 Other changes: 346 #468 #469 xmlwf: Improve help output and the xmlwf man page 347 #463 xmlwf: Improve maintainability through some refactoring 348 #477 xmlwf: Fix man page DocBook validity 349 #456 Autotools: Sync CMake templates with CMake 3.18 350 #458 #459 CMake: Support absolute paths for both CMAKE_INSTALL_LIBDIR 351 and CMAKE_INSTALL_INCLUDEDIR 352 #471 #481 CMake: Add support for standard variable BUILD_SHARED_LIBS 353 #457 Unexpose symbol _INTERNAL_trim_to_complete_utf8_characters 354 #467 Resolve macro HAVE_EXPAT_CONFIG_H 355 #472 Delete unused legacy helper file "conftools/PrintPath" 356 #473 #483 Improve attribution 357 #464 #465 #477 doc/reference.html: Fix XHTML validity 358 #475 #478 doc/reference.html: Replace the 90s look by OK.css 359 #479 Version info bumped from 8:0:7 to 9:0:8 360 due to addition of new symbols and error codes; 361 see https://verbump.de/ for what these numbers do 362 363 Infrastructure: 364 #456 CI: Enable periodic runs 365 #457 CI: Start covering the list of exported symbols 366 #474 CI: Isolate coverage task 367 #476 #482 CI: Adapt to breaking changes in image "ubuntu-18.04" 368 #477 CI: Cover well-formedness and DocBook/XHTML validity 369 of doc/reference.html and doc/xmlwf.xml 370 371 Special thanks to: 372 Dimitry Andric 373 Eero Helenius 374 Nick Wellnhofer 375 Rhodri James 376 Tomas Korbar 377 Yury Gribov 378 and 379 Clang LeakSan 380 JetBrains 381 OSS-Fuzz 382 383Release 2.3.0 Thu March 25 2021 384 Bug fixes: 385 #438 When calling XML_ParseBuffer without a prior successful call to 386 XML_GetBuffer as a user, no longer trigger undefined behavior 387 (by adding an integer to a NULL pointer) but rather return 388 XML_STATUS_ERROR and set the error code to (new) code 389 XML_ERROR_NO_BUFFER. Found by UBSan (UndefinedBehaviorSanitizer) 390 of Clang 11 (but not Clang 9). 391 #444 xmlwf: Exit status 2 was used for both: 392 - malformed input files (documented) and 393 - invalid command-line arguments (undocumented). 394 The case of invalid command-line arguments now 395 has its own exit status 4, resolving the ambiguity. 396 397 Other changes: 398 #439 xmlwf: Add argument -k to allow continuing after 399 non-fatal errors 400 #439 xmlwf: Add section about exit status to the -h help output 401 #422 #426 #447 Windows: Drop support for Visual Studio <=14.0/2015 402 #434 Windows: CMake: Detect unsupported Visual Studio at 403 configure time (rather than at compile time) 404 #382 #428 testrunner: Make verbose mode (argument "-v") report 405 about passed tests, and make default mode report about 406 failures, as well. 407 #442 CMake: Call "enable_language(CXX)" prior to tinkering 408 with CMAKE_CXX_* variables 409 #448 Document use of libexpat from a CMake-based project 410 #451 Autotools: Install CMake files as generated by CMake 3.19.6 411 so that users with "find_package(expat [..] CONFIG [..])" 412 are served on distributions that are *not* using the CMake 413 build system inside for libexpat packaging 414 #436 #437 Autotools: Drop obsolescent macro AC_HEADER_STDC 415 #450 #452 Autotools: Resolve use of obsolete macro AC_CONFIG_HEADER 416 #441 Address compiler warnings 417 #443 Version info bumped from 7:12:6 to 8:0:7 418 due to addition of error code XML_ERROR_NO_BUFFER 419 (see https://verbump.de/ for what these numbers do) 420 421 Infrastructure: 422 #435 #446 Replace Travis CI by GitHub Actions 423 424 Special thanks to: 425 Alexander Richardson 426 Oleksandr Popovych 427 Thomas Beutlich 428 Tim Bray 429 and 430 Clang LeakSan, Clang 11 UBSan and the Clang team 431 432Release 2.2.10 Sat October 3 2020 433 Bug fixes: 434 #390 #395 #398 Fix undefined behavior during parsing caused by 435 pointer arithmetic with NULL pointers 436 #404 #405 Fix reading uninitialized variable during parsing 437 #406 xmlwf: Add missing check for malloc NULL return 438 439 Other changes: 440 #396 Windows: Drop support for Visual Studio <=8.0/2005 441 #409 Windows: Add missing file "Changes" to the installer 442 to fix compilation with CMake from installed sources 443 #403 xmlwf: Document exit codes in xmlwf manpage and 444 exit with code 3 (rather than code 1) for output errors 445 when used with "-d DIRECTORY" 446 #356 #359 MinGW: Provide declaration of rand_s for mingwrt <5.3.0 447 #383 #392 Autotools: Use -Werror while configure tests the compiler 448 for supported compile flags to avoid false positives 449 #383 #393 #394 Autotools: Improve handling of user (C|CPP|CXX|LD)FLAGS, 450 e.g. ensure that they have the last word over flags added 451 while running ./configure 452 #360 CMake: Create libexpatw.{dll,so} and expatw.pc (with emphasis 453 on suffix "w") with -DEXPAT_CHAR_TYPE=(ushort|wchar_t) 454 #360 CMake: Detect and deny unsupported build combinations 455 involving -DEXPAT_CHAR_TYPE=(ushort|wchar_t) 456 #360 CMake: Install pre-compiled shipped xmlwf.1 manpage in case 457 of -DEXPAT_BUILD_DOCS=OFF 458 #375 #380 #419 CMake: Fix use of Expat by means of add_subdirectory 459 #407 #408 CMake: Keep expat target name constant at "expat" 460 (i.e. refrain from using the target name to control 461 build artifact filenames) 462 #385 CMake: Fix compilation with -DEXPAT_SHARED_LIBS=OFF for 463 Windows 464 CMake: Expose man page compilation as target "xmlwf-manpage" 465 #413 #414 CMake: Introduce option EXPAT_BUILD_PKGCONFIG 466 to control generation of pkg-config file "expat.pc" 467 #424 CMake: Add minimalistic support for building binary packages 468 with CMake target "package"; based on CPack 469 #366 CMake: Add option -DEXPAT_OSSFUZZ_BUILD=(ON|OFF) with 470 default OFF to build fuzzer code against OSS-Fuzz and 471 related environment variable LIB_FUZZING_ENGINE 472 #354 Fix testsuite for -DEXPAT_DTD=OFF and -DEXPAT_NS=OFF, each 473 #354 #355 .. 474 #356 #412 Address compiler warnings 475 #368 #369 Address pngcheck warnings with doc/*.png images 476 #425 Version info bumped from 7:11:6 to 7:12:6 477 478 Special thanks to: 479 asavah 480 Ben Wagner 481 Bhargava Shastry 482 Frank Landgraf 483 Jeffrey Walton 484 Joe Orton 485 Kleber Tarcísio 486 Ma Lin 487 Maciej Sroczyński 488 Mohammed Khajapasha 489 Vadim Zeitlin 490 and 491 Cppcheck 2.0 and the Cppcheck team 492 493Release 2.2.9 Wed September 25 2019 494 Other changes: 495 examples: Drop executable bits from elements.c 496 #349 Windows: Change the name of the Windows DLLs from expat*.dll 497 to libexpat*.dll once more (regression from 2.2.8, first 498 fixed in 1.95.3, issue #61 on SourceForge today, 499 was issue #432456 back then); needs a fix due 500 case-insensitive file systems on Windows and the fact that 501 Perl's XML::Parser::Expat compiles into Expat.dll. 502 #347 Windows: Only define _CRT_RAND_S if not defined 503 Version info bumped from 7:10:6 to 7:11:6 504 505 Special thanks to: 506 Ben Wagner 507 508Release 2.2.8 Fri September 13 2019 509 Security fixes: 510 #317 #318 CVE-2019-15903 -- Fix heap overflow triggered by 511 XML_GetCurrentLineNumber (or XML_GetCurrentColumnNumber), 512 and deny internal entities closing the doctype; 513 fixed in commit c20b758c332d9a13afbbb276d30db1d183a85d43 514 515 Bug fixes: 516 #240 Fix cases where XML_StopParser did not have any effect 517 when called from inside of an end element handler 518 #341 xmlwf: Fix exit code for operation without "-d DIRECTORY"; 519 previously, only "-d DIRECTORY" would give you a proper 520 exit code: 521 # xmlwf -d . <<<'<not well-formed>' 2>/dev/null ; echo $? 522 2 523 # xmlwf <<<'<not well-formed>' 2>/dev/null ; echo $? 524 0 525 Now both cases return exit code 2. 526 527 Other changes: 528 #299 #302 Windows: Replace LoadLibrary hack to access 529 unofficial API function SystemFunction036 (RtlGenRandom) 530 by using official API function rand_s (needs WinXP+) 531 #325 Windows: Drop support for Visual Studio <=7.1/2003 532 and document supported compilers in README.md 533 #286 Windows: Remove COM code from xmlwf; in case it turns 534 out needed later, there will be a dedicated repository 535 below https://github.com/libexpat/ for that code 536 #322 Windows: Remove explicit MSVC solution and project files. 537 You can generate Visual Studio solution files through 538 CMake, e.g.: cmake -G"Visual Studio 15 2017" . 539 #338 xmlwf: Make "xmlwf -h" help output more friendly 540 #339 examples: Improve elements.c 541 #244 #264 Autotools: Add argument --enable-xml-attr-info 542 #239 #301 Autotools: Add arguments 543 --with-getrandom 544 --without-getrandom 545 --with-sys-getrandom 546 --without-sys-getrandom 547 #312 #343 Autotools: Fix linking issues with "./configure LD=clang" 548 Autotools: Fix "make run-xmltest" for out-of-source builds 549 #329 #336 CMake: Pull all options from Expat <=2.2.7 into namespace 550 prefix EXPAT_ with the exception of DOCBOOK_TO_MAN: 551 - BUILD_doc -> EXPAT_BUILD_DOCS (plural) 552 - BUILD_examples -> EXPAT_BUILD_EXAMPLES 553 - BUILD_shared -> EXPAT_SHARED_LIBS 554 - BUILD_tests -> EXPAT_BUILD_TESTS 555 - BUILD_tools -> EXPAT_BUILD_TOOLS 556 - DOCBOOK_TO_MAN -> DOCBOOK_TO_MAN (unchanged) 557 - INSTALL -> EXPAT_ENABLE_INSTALL 558 - MSVC_USE_STATIC_CRT -> EXPAT_MSVC_STATIC_CRT 559 - USE_libbsd -> EXPAT_WITH_LIBBSD 560 - WARNINGS_AS_ERRORS -> EXPAT_WARNINGS_AS_ERRORS 561 - XML_CONTEXT_BYTES -> EXPAT_CONTEXT_BYTES 562 - XML_DEV_URANDOM -> EXPAT_DEV_URANDOM 563 - XML_DTD -> EXPAT_DTD 564 - XML_NS -> EXPAT_NS 565 - XML_UNICODE -> EXPAT_CHAR_TYPE=ushort (!) 566 - XML_UNICODE_WCHAR_T -> EXPAT_CHAR_TYPE=wchar_t (!) 567 #244 #264 CMake: Add argument -DEXPAT_ATTR_INFO=(ON|OFF), 568 default OFF 569 #326 CMake: Add argument -DEXPAT_LARGE_SIZE=(ON|OFF), 570 default OFF 571 #328 CMake: Add argument -DEXPAT_MIN_SIZE=(ON|OFF), 572 default OFF 573 #239 #277 CMake: Add arguments 574 -DEXPAT_WITH_GETRANDOM=(ON|OFF|AUTO), default AUTO 575 -DEXPAT_WITH_SYS_GETRANDOM=(ON|OFF|AUTO), default AUTO 576 #326 CMake: Install expat_config.h to include directory 577 #326 CMake: Generate and install configuration files for 578 future find_package(expat [..] CONFIG [..]) 579 CMake: Now produces a summary of applied configuration 580 CMake: Require C++ compiler only when tests are enabled 581 #330 CMake: Fix compilation for 16bit character types, 582 i.e. ex -DXML_UNICODE=ON (and ex -DXML_UNICODE_WCHAR_T=ON) 583 #265 CMake: Fix linking with MinGW 584 #330 CMake: Add full support for MinGW; to enable, use 585 -DCMAKE_TOOLCHAIN_FILE=[expat]/cmake/mingw-toolchain.cmake 586 #330 CMake: Port "make run-xmltest" from GNU Autotools to CMake 587 #316 CMake: Windows: Make binary postfix match MSVC 588 Old: expat[d].lib 589 New: expat[w][d][MD|MT].lib 590 CMake: Migrate files from Windows to Unix line endings 591 #308 CMake: Integrate OSS-Fuzz fuzzers, option 592 -DEXPAT_BUILD_FUZZERS=(ON|OFF), default OFF 593 #14 Drop an OpenVMS support leftover 594 #235 #268 .. 595 #270 #310 .. 596 #313 #331 #333 Address compiler warnings 597 #282 #283 .. 598 #284 #285 Address cppcheck warnings 599 #294 #295 Address Clang Static Analyzer warnings 600 #24 #293 Mass-apply clang-format 9 (and ensure conformance during CI) 601 Version info bumped from 7:9:6 to 7:10:6 602 603 Special thanks to: 604 David Loffredo 605 Joonun Jang 606 Kishore Kunche 607 Marco Maggi 608 Mitch Phillips 609 Mohammed Khajapasha 610 Rolf Ade 611 xantares 612 Zhongyuan Zhou 613 614Release 2.2.7 Wed June 19 2019 615 Security fixes: 616 #186 #262 CVE-2018-20843 -- Fix extraction of namespace prefixes from 617 XML names; XML names with multiple colons could end up in 618 the wrong namespace, and take a high amount of RAM and CPU 619 resources while processing, opening the door to 620 use for denial-of-service attacks 621 622 Other changes: 623 #195 #197 Autotools/CMake: Utilize -fvisibility=hidden to stop 624 exporting non-API symbols 625 #227 Autotools: Add --without-examples and --without-tests 626 #228 Autotools: Modernize configure.ac 627 #245 #246 Autotools: Fix check for -fvisibility=hidden for Clang 628 #247 #248 Autotools: Fix compilation for lack of docbook2x-man 629 #236 #258 Autotools: Produce .tar.{gz,lz,xz} release archives 630 #212 CMake: Make libdir of pkgconfig expat.pc support multilib 631 #158 #263 CMake: Build man page in PROJECT_BINARY_DIR not _SOURCE_DIR 632 #219 Remove fallback to bcopy, assume that memmove(3) exists 633 #257 Use portable "/usr/bin/env bash" shebang (e.g. for OpenBSD) 634 #243 Windows: Fix syntax of .def module definition files 635 Version info bumped from 7:8:6 to 7:9:6 636 637 Special thanks to: 638 Benjamin Peterson 639 Caolán McNamara 640 Hanno Böck 641 KangLin 642 Kishore Kunche 643 Marco Maggi 644 Rhodri James 645 Sebastian Dröge 646 userwithuid 647 Yury Gribov 648 649Release 2.2.6 Sun August 12 2018 650 Bug fixes: 651 #170 #206 Avoid doing arithmetic with NULL pointers in XML_GetBuffer 652 #204 #205 Fix 2.2.5 regression with suspend-resume while parsing 653 a document like '<root/>' 654 655 Other changes: 656 #165 #168 Autotools: Fix docbook-related configure syntax error 657 #166 Autotools: Avoid grep option `-q` for Solaris 658 #167 Autotools: Support 659 ./configure DOCBOOK_TO_MAN="xmlto man --skip-validation" 660 #159 #167 Autotools: Support DOCBOOK_TO_MAN command which produces 661 xmlwf.1 rather than XMLWF.1; also covers case insensitive 662 file systems 663 #181 Autotools: Drop -rpath option passed to libtool 664 #188 Autotools: Detect and deny SGML docbook2man as ours is XML 665 #188 Autotools/CMake: Support command db2x_docbook2man as well 666 #174 CMake: Introduce option WARNINGS_AS_ERRORS, defaults to OFF 667 #184 #185 CMake: Introduce option MSVC_USE_STATIC_CRT, defaults to OFF 668 #207 #208 CMake: Introduce option XML_UNICODE and XML_UNICODE_WCHAR_T, 669 both defaulting to OFF 670 #175 CMake: Prefer check_symbol_exists over check_function_exists 671 #176 CMake: Create the same pkg-config file as with GNU Autotools 672 #178 #179 CMake: Use GNUInstallDirs module to set proper defaults for 673 install directories 674 #208 CMake: Utilize expat_config.h.cmake for XML_DEV_URANDOM 675 #180 Windows: Fix compilation of test suite for Visual Studio 2008 676 #131 #173 #202 Address compiler warnings 677 #187 #190 #200 Fix miscellaneous typos 678 Version info bumped from 7:7:6 to 7:8:6 679 680 Special thanks to: 681 Anton Maklakov 682 Benjamin Peterson 683 Brad King 684 Franek Korta 685 Frank Rast 686 Joe Orton 687 luzpaz 688 Pedro Vicente 689 Rainer Jung 690 Rhodri James 691 Rolf Ade 692 Rolf Eike Beer 693 Thomas Beutlich 694 Tomasz Kłoczko 695 696Release 2.2.5 Tue October 31 2017 697 Bug fixes: 698 #8 If the parser runs out of memory, make sure its internal 699 state reflects the memory it actually has, not the memory 700 it wanted to have. 701 #11 The default handler wasn't being called when it should for 702 a SYSTEM or PUBLIC doctype if an entity declaration handler 703 was registered. 704 #137 #138 Fix a case of mistakenly reported parsing success where 705 XML_StopParser was called from an element handler 706 #162 Function XML_ErrorString was returning NULL rather than 707 a message for code XML_ERROR_INVALID_ARGUMENT 708 introduced with release 2.2.1 709 710 Other changes: 711 #106 xmlwf: Add argument -N adding notation declarations 712 #75 #106 Test suite: Resolve expected failure cases where xmlwf 713 output was incomplete 714 #127 Windows: Fix test suite compilation 715 #126 #127 Windows: Fix compilation for Visual Studio 2012 716 Windows: Upgrade shipped project files to Visual Studio 2017 717 #33 #132 tests: Mass-fix compilation for XML_UNICODE_WCHAR_T 718 #129 examples: Fix compilation for XML_UNICODE_WCHAR_T 719 #130 benchmark: Fix compilation for XML_UNICODE_WCHAR_T 720 #144 xmlwf: Fix compilation for XML_UNICODE_WCHAR_T; still needs 721 Windows or MinGW for 2-byte wchar_t 722 #9 Address two Clang Static Analyzer false positives 723 #59 Resolve troublesome macros hiding parser struct membership 724 and dereferencing that pointer 725 #6 Resolve superfluous internal malloc/realloc switch 726 #153 #155 Improve docbook2x-man detection 727 #160 Undefine NDEBUG in the test suite (rather than rejecting it) 728 #161 Address compiler warnings 729 Version info bumped from 7:6:6 to 7:7:6 730 731 Special thanks to: 732 Benbuck Nason 733 Hans Wennborg 734 José Gutiérrez de la Concha 735 Pedro Monreal Gonzalez 736 Rhodri James 737 Rolf Ade 738 Stephen Groat 739 and 740 Core Infrastructure Initiative 741 742Release 2.2.4 Sat August 19 2017 743 Bug fixes: 744 #115 Fix copying of partial characters for UTF-8 input 745 746 Other changes: 747 #109 Fix "make check" for non-x86 architectures that default 748 to unsigned type char (-128..127 rather than 0..255) 749 #109 coverage.sh: Cover -funsigned-char 750 Autotools: Introduce --without-xmlwf argument 751 #65 Autotools: Replace handwritten Makefile with GNU Automake 752 #43 CMake: Auto-detect high quality entropy extractors, add new 753 option USE_libbsd=ON to use arc4random_buf of libbsd 754 #74 CMake: Add -fno-strict-aliasing only where supported 755 #114 CMake: Always honor manually set BUILD_* options 756 #114 CMake: Compile man page if docbook2x-man is available, only 757 #117 Include file tests/xmltest.log.expected in source tarball 758 (required for "make run-xmltest") 759 #117 Include (existing) Visual Studio 2013 files in source tarball 760 Improve test suite error output 761 #111 Fix some typos in documentation 762 Version info bumped from 7:5:6 to 7:6:6 763 764 Special thanks to: 765 Jakub Wilk 766 Joe Orton 767 Lin Tian 768 Rolf Eike Beer 769 770Release 2.2.3 Wed August 2 2017 771 Security fixes: 772 #82 CVE-2017-11742 -- Windows: Fix DLL hijacking vulnerability 773 using Steve Holme's LoadLibrary wrapper for/of cURL 774 775 Bug fixes: 776 #85 Fix a dangling pointer issue related to realloc 777 778 Other changes: 779 Increase code coverage 780 #91 Linux: Allow getrandom to fail if nonblocking pool has not 781 yet been initialized and read /dev/urandom then, instead. 782 This is in line with what recent Python does. 783 #81 Pre-10.7/Lion macOS: Support entropy from arc4random 784 #86 Check that a UTF-16 encoding in an XML declaration has the 785 right endianness 786 #4 #5 #7 Recover correctly when some reallocations fail 787 Repair "./configure && make" for systems without any 788 provider of high quality entropy 789 and try reading /dev/urandom on those 790 Ensure that user-defined character encodings have converter 791 functions when they are needed 792 Fix mis-leading description of argument -c in xmlwf.1 793 Rely on macro HAVE_ARC4RANDOM_BUF (rather than __CloudABI__) 794 for CloudABI 795 #100 Fix use of SIPHASH_MAIN in siphash.h 796 #23 Test suite: Fix memory leaks 797 Version info bumped from 7:4:6 to 7:5:6 798 799 Special thanks to: 800 Chanho Park 801 Joe Orton 802 Pascal Cuoq 803 Rhodri James 804 Simon McVittie 805 Vadim Zeitlin 806 Viktor Szakats 807 and 808 Core Infrastructure Initiative 809 810Release 2.2.2 Wed July 12 2017 811 Security fixes: 812 #43 Protect against compilation without any source of high 813 quality entropy enabled, e.g. with CMake build system; 814 commit ff0207e6076e9828e536b8d9cd45c9c92069b895 815 #60 Windows with _UNICODE: 816 Unintended use of LoadLibraryW with a non-wide string 817 resulted in failure to load advapi32.dll and degradation 818 in quality of used entropy when compiled with _UNICODE for 819 Windows; you can launch existing binaries with 820 EXPAT_ENTROPY_DEBUG=1 in the environment to inspect the 821 quality of entropy used during runtime; commits 822 * 95b95032f907ef1cd17ee7a9a1768010a825d61d 823 * 73a5a2e9c081f49f2d775cf7ced864158b68dc80 824 [MOX-006] Fix non-NULL parser parameter validation in XML_Parse; 825 resulted in NULL dereference, previously; 826 commit ac256dafdffc9622ab0dc2c62fcecb0dfcfa71fe 827 828 Bug fixes: 829 #69 Fix improper use of unsigned long long integer literals 830 831 Other changes: 832 #73 Start requiring a C99 compiler 833 #49 Fix "==" Bashism in configure script 834 #50 Fix too eager getrandom detection for Debian GNU/kFreeBSD 835 #52 and macOS 836 #51 Address lack of stdint.h in Visual Studio 2003 to 2008 837 #58 Address compile warnings 838 #68 Fix "./buildconf.sh && ./configure" for some versions 839 of Dash for /bin/sh 840 #72 CMake: Ease use of Expat in context of a parent project 841 with multiple CMakeLists.txt files 842 #72 CMake: Resolve mistaken executable permissions 843 #76 Address compile warning with -DNDEBUG (not recommended!) 844 #77 Address compile warning about macro redefinition 845 846 Special thanks to: 847 Alexander Bluhm 848 Ben Boeckel 849 Cătălin Răceanu 850 Kerin Millar 851 László Böszörményi 852 S. P. Zeidler 853 Segev Finer 854 Václav Slavík 855 Victor Stinner 856 Viktor Szakats 857 and 858 Radically Open Security 859 860Release 2.2.1 Sat June 17 2017 861 Security fixes: 862 CVE-2017-9233 -- External entity infinite loop DoS 863 Details: https://libexpat.github.io/doc/cve-2017-9233/ 864 Commit c4bf96bb51dd2a1b0e185374362ee136fe2c9d7f 865 [MOX-002] CVE-2016-9063 -- Detect integer overflow; commit 866 d4f735b88d9932bd5039df2335eefdd0723dbe20 867 (Fixed version of existing downstream patches!) 868 (SF.net) #539 Fix regression from fix to CVE-2016-0718 cutting off 869 longer tag names; commits 870 * 896b6c1fd3b842f377d1b62135dccf0a579cf65d 871 * af507cef2c93cb8d40062a0abe43a4f4e9158fb2 872 #16 * 0dbbf43fdb20f593ddf4fa1ff67288000dd4a7fd 873 #25 More integer overflow detection (function poolGrow); commits 874 * 810b74e4703dcfdd8f404e3cb177d44684775143 875 * 44178553f3539ce69d34abee77a05e879a7982ac 876 [MOX-002] Detect overflow from len=INT_MAX call to XML_Parse; commits 877 * 4be2cb5afcc018d996f34bbbce6374b7befad47f 878 * 7e5b71b748491b6e459e5c9a1d090820f94544d8 879 [MOX-005] #30 Use high quality entropy for hash initialization: 880 * arc4random_buf on BSD, systems with libbsd 881 (when configured with --with-libbsd), CloudABI 882 * RtlGenRandom on Windows XP / Server 2003 and later 883 * getrandom on Linux 3.17+ 884 In a way, that's still part of CVE-2016-5300. 885 https://github.com/libexpat/libexpat/pull/30/commits 886 [MOX-005] For the low quality entropy extraction fallback code, 887 the parser instance address can no longer leak, commit 888 04ad658bd3079dd15cb60fc67087900f0ff4b083 889 [MOX-003] Prevent use of uninitialised variable; commit 890 [MOX-004] a4dc944f37b664a3ca7199c624a98ee37babdb4b 891 Add missing parameter validation to public API functions 892 and dedicated error code XML_ERROR_INVALID_ARGUMENT: 893 [MOX-006] * NULL checks; commits 894 * d37f74b2b7149a3a95a680c4c4cd2a451a51d60a (merge/many) 895 * 9ed727064b675b7180c98cb3d4f75efba6966681 896 * 6a747c837c50114dfa413994e07c0ba477be4534 897 * Negative length (XML_Parse); commit 898 [MOX-002] 70db8d2538a10f4c022655d6895e4c3e78692e7f 899 [MOX-001] #35 Change hash algorithm to William Ahern's version of SipHash 900 to go further with fixing CVE-2012-0876. 901 https://github.com/libexpat/libexpat/pull/39/commits 902 903 Bug fixes: 904 #32 Fix sharing of hash salt across parsers; 905 relevant where XML_ExternalEntityParserCreate is called 906 prior to XML_Parse, in particular (e.g. FBReader) 907 #28 xmlwf: Auto-disable use of memory-mapping (and parsing 908 as a single chunk) for files larger than ~1 GB (2^30 bytes) 909 rather than failing with error "out of memory" 910 #3 Fix double free after malloc failure in DTD code; commit 911 7ae9c3d3af433cd4defe95234eae7dc8ed15637f 912 #17 Fix memory leak on parser error for unbound XML attribute 913 prefix with new namespaces defined in the same tag; 914 found by Google's OSS-Fuzz; commits 915 * 16f87daae5a16132e479e4f71862128c7a915c73 916 * b47dbc9745932c160893d433220e462bd605f8cd 917 xmlwf on Windows: Add missing calls to CloseHandle 918 919 New features: 920 #30 Introduced environment switch EXPAT_ENTROPY_DEBUG=1 921 for runtime debugging of entropy extraction 922 923 Other changes: 924 Increase code coverage 925 #33 Reject use of XML_UNICODE_WCHAR_T with sizeof(wchar_t) != 2; 926 XML_UNICODE_WCHAR_T was never meant to be used outside 927 of Windows; 4-byte wchar_t is common on Linux 928 (SF.net) #538 Start using -fno-strict-aliasing 929 (SF.net) #540 Support compilation against cloudlibc of CloudABI 930 Allow MinGW cross-compilation 931 (SF.net) #534 CMake: Introduce option "BUILD_doc" (enabled by default) 932 to bypass compilation of the xmlwf.1 man page 933 (SF.net) pr2 CMake: Introduce option "INSTALL" (enabled by default) 934 to bypass installation of expat files 935 CMake: Fix ninja support 936 Autotools: Add parameters --enable-xml-context [COUNT] 937 and --disable-xml-context; default of context of 1024 938 bytes enabled unchanged 939 #14 Drop AmigaOS 4.x code and includes 940 #14 Drop ancient build systems: 941 * Borland C++ Builder 942 * OpenVMS 943 * Open Watcom 944 * Visual Studio 6.0 945 * Pre-X Mac OS (MPW Makefile) 946 If you happen to rely on some of these, please get in 947 touch for joining with maintenance. 948 #10 Move from WIN32 to _WIN32 949 #13 Fix "make run-xmltest" order instability 950 Address compile warnings 951 Bump version info from 7:2:6 to 7:3:6 952 Add AUTHORS file 953 954 Infrastructure: 955 #1 Migrate from SourceForge to GitHub (except downloads): 956 https://github.com/libexpat/ 957 #1 Re-create http://libexpat.org/ project website 958 Start utilizing Travis CI 959 960 Special thanks to: 961 Andy Wang 962 Don Lewis 963 Ed Schouten 964 Karl Waclawek 965 Pascal Cuoq 966 Rhodri James 967 Sergei Nikulov 968 Tobias Taschner 969 Viktor Szakats 970 and 971 Core Infrastructure Initiative 972 Mozilla Foundation (MOSS Track 3: Secure Open Source) 973 Radically Open Security 974 975Release 2.2.0 Tue June 21 2016 976 Security fixes: 977 #537 CVE-2016-0718 -- Fix crash on malformed input 978 CVE-2016-4472 -- Improve insufficient fix to CVE-2015-1283 / 979 CVE-2015-2716 introduced with Expat 2.1.1 980 #499 CVE-2016-5300 -- Use more entropy for hash initialization 981 than the original fix to CVE-2012-0876 982 #519 CVE-2012-6702 -- Resolve troublesome internal call to srand 983 that was introduced with Expat 2.1.0 984 when addressing CVE-2012-0876 (issue #496) 985 986 Bug fixes: 987 Fix uninitialized reads of size 1 988 (e.g. in little2_updatePosition) 989 Fix detection of UTF-8 character boundaries 990 991 Other changes: 992 #532 Fix compilation for Visual Studio 2010 (keyword "C99") 993 Autotools: Resolve use of "$<" to better support bmake 994 Autotools: Add QA script "qa.sh" (and make target "qa") 995 Autotools: Respect CXXFLAGS if given 996 Autotools: Fix "make run-xmltest" 997 Autotools: Have "make run-xmltest" check for expected output 998 p90 CMake: Fix static build (BUILD_shared=OFF) on Windows 999 #536 CMake: Add soversion, support -DNO_SONAME=yes to bypass 1000 #323 CMake: Add suffix "d" to differentiate debug from release 1001 CMake: Define WIN32 with CMake on Windows 1002 Annotate memory allocators for GCC 1003 Address all currently known compile warnings 1004 Make sure that API symbols remain visible despite 1005 -fvisibility=hidden 1006 Remove executable flag from source files 1007 Resolve COMPILED_FROM_DSP in favor of WIN32 1008 1009 Special thanks to: 1010 Björn Lindahl 1011 Christian Heimes 1012 Cristian Rodríguez 1013 Daniel Krügler 1014 Gustavo Grieco 1015 Karl Waclawek 1016 László Böszörményi 1017 Marco Grassi 1018 Pascal Cuoq 1019 Sergei Nikulov 1020 Thomas Beutlich 1021 Warren Young 1022 Yann Droneaud 1023 1024Release 2.1.1 Sat March 12 2016 1025 Security fixes: 1026 #582: CVE-2015-1283 - Multiple integer overflows in XML_GetBuffer 1027 1028 Bug fixes: 1029 #502: Fix potential null pointer dereference 1030 #520: Symbol XML_SetHashSalt was not exported 1031 Output of "xmlwf -h" was incomplete 1032 1033 Other changes: 1034 #503: Document behavior of calling XML_SetHashSalt with salt 0 1035 Minor improvements to man page xmlwf(1) 1036 Improvements to the experimental CMake build system 1037 libtool now invoked with --verbose 1038 1039Release 2.1.0 Sat March 24 2012 1040 - Security fixes: 1041 #2958794: CVE-2012-1148 - Memory leak in poolGrow. 1042 #2895533: CVE-2012-1147 - Resource leak in readfilemap.c. 1043 #3496608: CVE-2012-0876 - Hash DOS attack. 1044 #2894085: CVE-2009-3560 - Buffer over-read and crash in big2_toUtf8(). 1045 #1990430: CVE-2009-3720 - Parser crash with special UTF-8 sequences. 1046 - Bug Fixes: 1047 #1742315: Harmful XML_ParserCreateNS suggestion. 1048 #1785430: Expat build fails on linux-amd64 with gcc version>=4.1 -O3. 1049 #1983953, 2517952, 2517962, 2649838: 1050 Build modifications using autoreconf instead of buildconf.sh. 1051 #2815947, #2884086: OBJEXT and EXEEXT support while building. 1052 #2517938: xmlwf should return non-zero exit status if not well-formed. 1053 #2517946: Wrong statement about XMLDecl in xmlwf.1 and xmlwf.sgml. 1054 #2855609: Dangling positionPtr after error. 1055 #2990652: CMake support. 1056 #3010819: UNEXPECTED_STATE with a trailing "%" in entity value. 1057 #3206497: Uninitialized memory returned from XML_Parse. 1058 #3287849: make check fails on mingw-w64. 1059 - Patches: 1060 #1749198: pkg-config support. 1061 #3010222: Fix for bug #3010819. 1062 #3312568: CMake support. 1063 #3446384: Report byte offsets for attr names and values. 1064 - New Features / API changes: 1065 Added new API member XML_SetHashSalt() that allows setting an initial 1066 value (salt) for hash calculations. This is part of the fix for 1067 bug #3496608 to randomize hash parameters. 1068 When compiled with XML_ATTR_INFO defined, adds new API member 1069 XML_GetAttributeInfo() that allows retrieving the byte 1070 offsets for attribute names and values (patch #3446384). 1071 Added CMake build system. 1072 See bug #2990652 and patch #3312568. 1073 Added run-benchmark target to Makefile.in - relies on testdata module 1074 present in the same relative location as in the repository. 1075 1076Release 2.0.1 Tue June 5 2007 1077 - Fixed bugs #1515266, #1515600: The character data handler's calling 1078 of XML_StopParser() was not handled properly; if the parser was 1079 stopped and the handler set to NULL, the parser would segfault. 1080 - Fixed bug #1690883: Expat failed on EBCDIC systems as it assumed 1081 some character constants to be ASCII encoded. 1082 - Minor cleanups of the test harness. 1083 - Fixed xmlwf bug #1513566: "out of memory" error on file size zero. 1084 - Fixed outline.c bug #1543233: missing a final XML_ParserFree() call. 1085 - Fixes and improvements for Windows platform: 1086 bugs #1409451, #1476160, #1548182, #1602769, #1717322. 1087 - Build fixes for various platforms: 1088 HP-UX, Tru64, Solaris 9: patch #1437840, bug #1196180. 1089 All Unix: #1554618 (refreshed config.sub/config.guess). 1090 #1490371, #1613457: support both, DESTDIR and INSTALL_ROOT, 1091 without relying on GNU-Make specific features. 1092 #1647805: Patched configure.in to work better with Intel compiler. 1093 - Fixes to Makefile.in to have make check work correctly: 1094 bugs #1408143, #1535603, #1536684. 1095 - Added Open Watcom support: patch #1523242. 1096 1097Release 2.0.0 Wed Jan 11 2006 1098 - We no longer use the "check" library for C unit testing; we 1099 always use the (partial) internal implementation of the API. 1100 - Report XML_NS setting via XML_GetFeatureList(). 1101 - Fixed headers for use from C++. 1102 - XML_GetCurrentLineNumber() and XML_GetCurrentColumnNumber() 1103 now return unsigned integers. 1104 - Added XML_LARGE_SIZE switch to enable 64-bit integers for 1105 byte indexes and line/column numbers. 1106 - Updated to use libtool 1.5.22 (the most recent). 1107 - Added support for AmigaOS. 1108 - Some mostly minor bug fixes. SF issues include: #1006708, 1109 #1021776, #1023646, #1114960, #1156398, #1221160, #1271642. 1110 1111Release 1.95.8 Fri Jul 23 2004 1112 - Major new feature: suspend/resume. Handlers can now request 1113 that a parse be suspended for later resumption or aborted 1114 altogether. See "Temporarily Stopping Parsing" in the 1115 documentation for more details. 1116 - Some mostly minor bug fixes, but compilation should no 1117 longer generate warnings on most platforms. SF issues 1118 include: #827319, #840173, #846309, #888329, #896188, #923913, 1119 #928113, #961698, #985192. 1120 1121Release 1.95.7 Mon Oct 20 2003 1122 - Fixed enum XML_Status issue (reported on SourceForge many 1123 times), so compilers that are properly picky will be happy. 1124 - Introduced an XMLCALL macro to control the calling 1125 convention used by the Expat API; this macro should be used 1126 to annotate prototypes and definitions of callback 1127 implementations in code compiled with a calling convention 1128 other than the default convention for the host platform. 1129 - Improved ability to build without the configure-generated 1130 expat_config.h header. This is useful for applications 1131 which embed Expat rather than linking in the library. 1132 - Fixed a variety of bugs: see SF issues #458907, #609603, 1133 #676844, #679754, #692878, #692964, #695401, #699323, #699487, 1134 #820946. 1135 - Improved hash table lookups. 1136 - Added more regression tests and improved documentation. 1137 1138Release 1.95.6 Tue Jan 28 2003 1139 - Added XML_FreeContentModel(). 1140 - Added XML_MemMalloc(), XML_MemRealloc(), XML_MemFree(). 1141 - Fixed a variety of bugs: see SF issues #615606, #616863, 1142 #618199, #653180, #673791. 1143 - Enhanced the regression test suite. 1144 - Man page improvements: includes SF issue #632146. 1145 1146Release 1.95.5 Fri Sep 6 2002 1147 - Added XML_UseForeignDTD() for improved SAX2 support. 1148 - Added XML_GetFeatureList(). 1149 - Defined XML_Bool type and the values XML_TRUE and XML_FALSE. 1150 - Use an incomplete struct instead of a void* for the parser 1151 (may not retain). 1152 - Fixed UTF-8 decoding bug that caused legal UTF-8 to be rejected. 1153 - Finally fixed bug where default handler would report DTD 1154 events that were already handled by another handler. 1155 Initial patch contributed by Darryl Miles. 1156 - Removed unnecessary DllMain() function that caused static 1157 linking into a DLL to be difficult. 1158 - Added VC++ projects for building static libraries. 1159 - Reduced line-length for all source code and headers to be 1160 no longer than 80 characters, to help with AS/400 support. 1161 - Reduced memory copying during parsing (SF patch #600964). 1162 - Fixed a variety of bugs: see SF issues #580793, #434664, 1163 #483514, #580503, #581069, #584041, #584183, #584832, #585537, 1164 #596555, #596678, #598352, #598944, #599715, #600479, #600971. 1165 1166Release 1.95.4 Fri Jul 12 2002 1167 - Added support for VMS, contributed by Craig Berry. See 1168 vms/README.vms for more information. 1169 - Added Mac OS (classic) support, with a makefile for MPW, 1170 contributed by Thomas Wegner and Daryle Walker. 1171 - Added Borland C++ Builder 5 / BCC 5.5 support, contributed 1172 by Patrick McConnell (SF patch #538032). 1173 - Fixed a variety of bugs: see SF issues #441449, #563184, 1174 #564342, #566334, #566901, #569461, #570263, #575168, #579196. 1175 - Made skippedEntityHandler conform to SAX2 (see source comment) 1176 - Re-implemented WFC: Entity Declared from XML 1.0 spec and 1177 added a new error "entity declared in parameter entity": 1178 see SF bug report #569461 and SF patch #578161 1179 - Re-implemented section 5.1 from XML 1.0 spec: 1180 see SF bug report #570263 and SF patch #578161 1181 1182Release 1.95.3 Mon Jun 3 2002 1183 - Added a project to the MSVC workspace to create a wchar_t 1184 version of the library; the DLLs are named libexpatw.dll. 1185 - Changed the name of the Windows DLLs from expat.dll to 1186 libexpat.dll; this fixes SF bug #432456. 1187 - Added the XML_ParserReset() API function. 1188 - Fixed XML_SetReturnNSTriplet() to work for element names. 1189 - Made the XML_UNICODE builds usable (thanks, Karl!). 1190 - Allow xmlwf to read from standard input. 1191 - Install a man page for xmlwf on Unix systems. 1192 - Fixed many bugs; see SF bug reports #231864, #461380, #464837, 1193 #466885, #469226, #477667, #484419, #487840, #494749, #496505, 1194 #547350. Other bugs which we can't test as easily may also 1195 have been fixed, especially in the area of build support. 1196 1197Release 1.95.2 Fri Jul 27 2001 1198 - More changes to make MSVC happy with the build; add a single 1199 workspace to support both the library and xmlwf application. 1200 - Added a Windows installer for Windows users; includes 1201 xmlwf.exe. 1202 - Added compile-time constants that can be used to determine the 1203 Expat version 1204 - Removed a lot of GNU-specific dependencies to aide portability 1205 among the various Unix flavors. 1206 - Fix the UTF-8 BOM bug. 1207 - Cleaned up warning messages for several compilers. 1208 - Added the -Wall, -Wstrict-prototypes options for GCC. 1209 1210Release 1.95.1 Sun Oct 22 15:11:36 EDT 2000 1211 - Changes to get expat to build under Microsoft compiler 1212 - Removed all aborts and instead return an UNEXPECTED_STATE error. 1213 - Fixed a bug where a stray '%' in an entity value would cause an 1214 abort. 1215 - Defined XML_SetEndNamespaceDeclHandler. Thanks to Darryl Miles for 1216 finding this oversight. 1217 - Changed default patterns in lib/Makefile.in to fit non-GNU makes 1218 Thanks to robin@unrated.net for reporting and providing an 1219 account to test on. 1220 - The reference had the wrong label for XML_SetStartNamespaceDecl. 1221 Reported by an anonymous user. 1222 1223Release 1.95.0 Fri Sep 29 2000 1224 - XML_ParserCreate_MM 1225 Allows you to set a memory management suite to replace the 1226 standard malloc,realloc, and free. 1227 - XML_SetReturnNSTriplet 1228 If you turn this feature on when namespace processing is in 1229 effect, then qualified, prefixed element and attribute names 1230 are returned as "uri|name|prefix" where '|' is whatever 1231 separator character is used in namespace processing. 1232 - Merged in features from perl-expat 1233 o XML_SetElementDeclHandler 1234 o XML_SetAttlistDeclHandler 1235 o XML_SetXmlDeclHandler 1236 o XML_SetEntityDeclHandler 1237 o StartDoctypeDeclHandler takes 3 additional parameters: 1238 sysid, pubid, has_internal_subset 1239 o Many paired handler setters (like XML_SetElementHandler) 1240 now have corresponding individual handler setters 1241 o XML_GetInputContext for getting the input context of 1242 the current parse position. 1243 - Added reference material 1244 - Packaged into a distribution that builds a sharable library 1245