| #
61ad8a07 |
| 05-Sep-2024 |
bluhm <bluhm@openbsd.org> |
Update libexpat to version 2.6.3.
Relevant for OpenBSD are security fixes #887 #890 #888 #891 #889
#892, other changes #886 #885, infrastructure #880. No library
bump necessary. CVE-2024-45490 CVE
Update libexpat to version 2.6.3.
Relevant for OpenBSD are security fixes #887 #890 #888 #891 #889
#892, other changes #886 #885, infrastructure #880. No library
bump necessary. CVE-2024-45490 CVE-2024-45491 CVE-2024-45492
OK tb@ deraadt@
show more ...
|
| #
c033f770 |
| 01-Apr-2024 |
bluhm <bluhm@openbsd.org> |
Update libexpat to version 2.6.2.
The fix for CVE-2024-28757 has been applied earlier. Relevant for
OpenBSD are bug fixes #839 #841, and other change #829. No library
bump is necessary.
OK deraad
Update libexpat to version 2.6.2.
The fix for CVE-2024-28757 has been applied earlier. Relevant for
OpenBSD are bug fixes #839 #841, and other change #829. No library
bump is necessary.
OK deraadt@
show more ...
|
| #
c53bfe58 |
| 14-Mar-2024 |
bluhm <bluhm@openbsd.org> |
Cerry-pick fix for CVE-2024-28757 from libexpat.
Detect billion laughs attack with isolated external parser.
github commit 1d50b80cf31de87750103656f6eb693746854aa8
OK deraadt@
|
| #
bd8f1dc3 |
| 11-Feb-2024 |
bluhm <bluhm@openbsd.org> |
Update libexpat to version 2.6.0.
This fixes CVE-2023-52425. OpenBSD is not affected by CVE-2023-52426.
Relevant for OpenBSD are security fixes #789 #814, bug fixes #753
#812 #813, other changes #7
Update libexpat to version 2.6.0.
This fixes CVE-2023-52425. OpenBSD is not affected by CVE-2023-52426.
Relevant for OpenBSD are security fixes #789 #814, bug fixes #753
#812 #813, other changes #771 #788 #764 #765, and examples, docs,
compiler warnings, clang-tidy, tests. Only a minor library bump
is necessary, this has been discussed with tb@ guenther@ kettenis@.
OK deraadt@
show more ...
|
| #
751a8f41 |
| 27-Oct-2022 |
bluhm <bluhm@openbsd.org> |
Update libexpat to 2.5.0. This fixes CVE-2022-43680. Relevant for
OpenBSD are security fixes #616 #649 #650 and bug fixes #612 #645
#613 #654 #616 #652 #653. No library bump necessary.
OK tb@
|
| #
9029d806 |
| 20-Sep-2022 |
bluhm <bluhm@openbsd.org> |
Update libexpat to 2.4.9. This fixes CVE-2022-40674. Relevant for
OpenBSD are security fixes #629 #640 and other changes #610 #643.
No library bump necessary.
OK deraadt@
|
| #
680fbc60 |
| 09-Mar-2022 |
bluhm <bluhm@openbsd.org> |
Update libexpat to 2.4.7. Relevant for OpenBSD are bug fixes #572
#577 and other changes #577 #579 #575 #574 #569 #571. No library
bump necessary.
tested and OK tb@
|
| #
253fd6bf |
| 22-Feb-2022 |
bluhm <bluhm@openbsd.org> |
Update libexpat to 2.4.6. This fixes CVE-2022-25235, CVE-2022-25236
CVE-2022-25313, CVE-2022-25314, and CVE-2022-25315. Relevant for
OpenBSD are security fixes #558 #559 #560 #561 #562 and bug fixe
Update libexpat to 2.4.6. This fixes CVE-2022-25235, CVE-2022-25236
CVE-2022-25313, CVE-2022-25314, and CVE-2022-25315. Relevant for
OpenBSD are security fixes #558 #559 #560 #561 #562 and bug fixes
#566. No library bump necessary.
OK tb@
show more ...
|
| #
7f817ade |
| 31-Jan-2022 |
bluhm <bluhm@openbsd.org> |
Update libexpat to 2.4.4. This fixes CVE-2022-23852 and CVE-2022-23990.
Relevant for OpenBSD are security fixes #550 #551 and other changes
#553 (missing in change log). No library bump necessary.
Update libexpat to 2.4.4. This fixes CVE-2022-23852 and CVE-2022-23990.
Relevant for OpenBSD are security fixes #550 #551 and other changes
#553 (missing in change log). No library bump necessary.
OK millert@
show more ...
|
| #
2c19dcf8 |
| 17-Jan-2022 |
bluhm <bluhm@openbsd.org> |
Update libexpat to 2.4.3. This fixes CVE-2021-45960, CVE-2021-46143,
and CVE-2022-22822 to CVE-2022-22827. Relevant for OpenBSD are
security fixes #531 #534 #532 #538 #539 and other changes #527 #5
Update libexpat to 2.4.3. This fixes CVE-2021-45960, CVE-2021-46143,
and CVE-2022-22822 to CVE-2022-22827. Relevant for OpenBSD are
security fixes #531 #534 #532 #538 #539 and other changes #527 #513
#514 #502 #503. No library bump necessary.
OK millert@
show more ...
|
| #
497fa8ab |
| 27-May-2021 |
bluhm <bluhm@openbsd.org> |
No longer patch away other entropy sources from libexpat. Upstream
expat uses arc4random_buf(3) as first option if available. Drop
our local patch. Behavior stays the same. Updates will be easier
No longer patch away other entropy sources from libexpat. Upstream
expat uses arc4random_buf(3) as first option if available. Drop
our local patch. Behavior stays the same. Updates will be easier.
Environment variable EXPAT_ENTROPY_DEBUG can be used to check that
arc4random_buf() is really used.
OK sthen@
show more ...
|
| #
08819b41 |
| 26-May-2021 |
bluhm <bluhm@openbsd.org> |
Update libexpat to 2.4.1. This fixes CVE-2013-0340. Relevant for
OpenBSD are security fixes #34 #466 #484 and other changes #467
#473 #483. A new error number in a public header requires a major
l
Update libexpat to 2.4.1. This fixes CVE-2013-0340. Relevant for
OpenBSD are security fixes #34 #466 #484 and other changes #467
#473 #483. A new error number in a public header requires a major
library bump. Two functions have been added to API.
OK tb@
show more ...
|
| #
326b8ed6 |
| 10-May-2021 |
bluhm <bluhm@openbsd.org> |
Update libexpat to 2.3.0. Relevant for OpenBSD are only bug fix
#438 and other change #443. A new error constant has been added
to a public header file. According to guenther@ this is an ABI
break
Update libexpat to 2.3.0. Relevant for OpenBSD are only bug fix
#438 and other change #443. A new error constant has been added
to a public header file. According to guenther@ this is an ABI
break that requires a major bump.
OK tb@; tested by matthieu@
show more ...
|
| #
2a4a206e |
| 29-Dec-2020 |
bluhm <bluhm@openbsd.org> |
Update libexpat to 2.2.10. Relevant are only bug fixes #390 #395
#398 #404 #405 and other changes #354 #355 #412.
OK deraadt@
|
| #
28ce3119 |
| 25-Sep-2019 |
bluhm <bluhm@openbsd.org> |
Update libexpat to 2.2.8. CVE-2019-15903 has been fixed earlier
in our tree. Relevant is only bug fix #240. Most of the upstream
diff is automated source format change.
OK deraadt@
|
| #
94f813b1 |
| 10-Sep-2019 |
bluhm <bluhm@openbsd.org> |
Fix heap overflow in libexpat 2.2.7 triggered by XML_GetCurrentLineNumber
(or XML_GetCurrentColumnNumber), and deny internal entities closing
the doctype; CVE-2019-15903
fixed in commit c20b758c332d9
Fix heap overflow in libexpat 2.2.7 triggered by XML_GetCurrentLineNumber
(or XML_GetCurrentColumnNumber), and deny internal entities closing
the doctype; CVE-2019-15903
fixed in commit c20b758c332d9a13afbbb276d30db1d183a85d43
OK tb@
show more ...
|
| #
04da3532 |
| 29-Jun-2019 |
bluhm <bluhm@openbsd.org> |
Update libexpat to 2.2.7. Relevant for OpenBSD is only the fix for
CVE-2018-20843, a potential denial-of-service in libexpat due to
high RAM and CPU usage.
OK deraadt@
|
| #
797786e5 |
| 22-Aug-2018 |
bluhm <bluhm@openbsd.org> |
Update libexpat to 2.2.6. Relevant for OpenBSD is
- Avoid doing arithmetic with NULL pointers in XML_GetBuffer
- Fix 2.2.5 regression with suspend-resume while parsing
a document like '<root/>'
-
Update libexpat to 2.2.6. Relevant for OpenBSD is
- Avoid doing arithmetic with NULL pointers in XML_GetBuffer
- Fix 2.2.5 regression with suspend-resume while parsing
a document like '<root/>'
- Address compiler warnings
- Fix miscellaneous typos
show more ...
|
| #
9b8e2351 |
| 02-Nov-2017 |
bluhm <bluhm@openbsd.org> |
Update libexpat to 2.2.5. Changes for OpenBSD include a few bug
fixes, no library bump needed.
OK deraadt@
|
| #
2e724bc9 |
| 23-Aug-2017 |
bluhm <bluhm@openbsd.org> |
Update libexpat to 2.2.4. Fix copying partial UTF-8 characters.
OK deraadt@
|
| #
5837d4fc |
| 04-Aug-2017 |
bluhm <bluhm@openbsd.org> |
Update libexpat to 2.2.3. Only few changes affect OpenBSD.
OK deraadt@
|
| #
0d60d187 |
| 19-Jul-2017 |
bluhm <bluhm@openbsd.org> |
Update libexpat to 2.2.2. Fixes NULL parser dereference.
no objections deraadt@
|
| #
2feb5d2a |
| 30-Jun-2017 |
bluhm <bluhm@openbsd.org> |
Update libexpat to version 2.2.1 which has some security fixes.
- CVE-2017-9233 CVE-2016-9063 CVE-2016-5300 CVE-2016-4472 CVE-2016-0718
CVE-2015-2716 CVE-2015-1283 CVE-2012-6702 CVE-2012-0876 have
Update libexpat to version 2.2.1 which has some security fixes.
- CVE-2017-9233 CVE-2016-9063 CVE-2016-5300 CVE-2016-4472 CVE-2016-0718
CVE-2015-2716 CVE-2015-1283 CVE-2012-6702 CVE-2012-0876 have been
addressed. Not all of them affect OpenBSD as we had fixes before.
- Upstream uses arc4random_buf(3) now. Delete all code for other
entropy sources to make sure to compile the correct one. Our
library already used arc4random(3) before.
- The overflow fixes in rev 1.11 and 1.12 of lib/xmlparse.c
have been commited upstream in a different way. Use the upstream
code to make maintenance easier.
- Although it should be ABI compatible, there is a new global
symbol align_limit_to_full_utf8_characters. As it is in
lib/internal.h, add a Symbols.map to restrict the export. Do not
bump the shared library version.
- Use the internal expat's siphash.h.
ports build ajacoutot@; move ahead deraadt@
show more ...
|
| #
d9d225e4 |
| 29-Jul-2016 |
rpointel <rpointel@openbsd.org> |
Fix regression introduced by patch to CVE-2016-0718: Tag names were cut off in some cases.
|
| #
525cdfc7 |
| 31-May-2016 |
rpointel <rpointel@openbsd.org> |
fix CVE-2016-0718.
|