Paul Duffin | ba34a0c | 2017-02-27 14:40:16 +0000 | [diff] [blame^] | 1 | Release 2.2.0 Tue June 21 2016 |
| 2 | Security fixes: |
| 3 | #537 CVE-2016-0718 -- Fix crash on malformed input |
| 4 | CVE-2016-4472 -- Improve insufficient fix to CVE-2015-1283 / |
| 5 | CVE-2015-2716 introduced with Expat 2.1.1 |
| 6 | #499 CVE-2016-5300 -- Use more entropy for hash initialization |
| 7 | than the original fix to CVE-2012-0876 |
| 8 | #519 CVE-2012-6702 -- Resolve troublesome internal call to srand |
| 9 | that was introduced with Expat 2.1.0 |
| 10 | when addressing CVE-2012-0876 (issue #496) |
| 11 | |
| 12 | Bug fixes: |
| 13 | Fix uninitialized reads of size 1 |
| 14 | (e.g. in little2_updatePosition) |
| 15 | Fix detection of UTF-8 character boundaries |
| 16 | |
| 17 | Other changes: |
| 18 | #532 Fix compilation for Visual Studio 2010 (keyword "C99") |
| 19 | Autotools: Resolve use of "$<" to better support bmake |
| 20 | Autotools: Add QA script "qa.sh" (and make target "qa") |
| 21 | Autotools: Respect CXXFLAGS if given |
| 22 | Autotools: Fix "make run-xmltest" |
| 23 | Autotools: Have "make run-xmltest" check for expected output |
| 24 | p90 CMake: Fix static build (BUILD_shared=OFF) on Windows |
| 25 | #536 CMake: Add soversion, support -DNO_SONAME=yes to bypass |
| 26 | #323 CMake: Add suffix "d" to differentiate debug from release |
| 27 | CMake: Define WIN32 with CMake on Windows |
| 28 | Annotate memory allocators for GCC |
| 29 | Address all currently known compile warnings |
| 30 | Make sure that API symbols remain visible despite |
| 31 | -fvisibility=hidden |
| 32 | Remove executable flag from source files |
| 33 | Resolve COMPILED_FROM_DSP in favor of WIN32 |
| 34 | |
| 35 | Special thanks to: |
| 36 | Björn Lindahl |
| 37 | Christian Heimes |
| 38 | Cristian Rodríguez |
| 39 | Daniel Krügler |
| 40 | Gustavo Grieco |
| 41 | Karl Waclawek |
| 42 | László Böszörményi |
| 43 | Marco Grassi |
| 44 | Pascal Cuoq |
| 45 | Sergei Nikulov |
| 46 | Thomas Beutlich |
| 47 | Warren Young |
| 48 | Yann Droneaud |
| 49 | |
Paul Duffin | cee2349 | 2016-05-04 10:42:31 +0100 | [diff] [blame] | 50 | Release 2.1.1 Sat March 12 2016 |
| 51 | Security fixes: |
| 52 | #582: CVE-2015-1283 - Multiple integer overflows in XML_GetBuffer |
| 53 | |
| 54 | Bug fixes: |
| 55 | #502: Fix potential null pointer dereference |
| 56 | #520: Symbol XML_SetHashSalt was not exported |
| 57 | Output of "xmlwf -h" was incomplete |
| 58 | |
Paul Duffin | ba34a0c | 2017-02-27 14:40:16 +0000 | [diff] [blame^] | 59 | Other changes: |
Paul Duffin | cee2349 | 2016-05-04 10:42:31 +0100 | [diff] [blame] | 60 | #503: Document behavior of calling XML_SetHashSalt with salt 0 |
| 61 | Minor improvements to man page xmlwf(1) |
| 62 | Improvements to the experimental CMake build system |
| 63 | libtool now invoked with --verbose |
| 64 | |
Elliott Hughes | 35e432d | 2012-09-09 14:23:38 -0700 | [diff] [blame] | 65 | Release 2.1.0 Sat March 24 2012 |
| 66 | - Bug Fixes: |
| 67 | #1742315: Harmful XML_ParserCreateNS suggestion. |
| 68 | #2895533: CVE-2012-1147 - Resource leak in readfilemap.c. |
| 69 | #1785430: Expat build fails on linux-amd64 with gcc version>=4.1 -O3. |
| 70 | #1983953, 2517952, 2517962, 2649838: |
| 71 | Build modifications using autoreconf instead of buildconf.sh. |
| 72 | #2815947, #2884086: OBJEXT and EXEEXT support while building. |
| 73 | #1990430: CVE-2009-3720 - Parser crash with special UTF-8 sequences. |
| 74 | #2517938: xmlwf should return non-zero exit status if not well-formed. |
| 75 | #2517946: Wrong statement about XMLDecl in xmlwf.1 and xmlwf.sgml. |
| 76 | #2855609: Dangling positionPtr after error. |
| 77 | #2894085: CVE-2009-3560 - Buffer over-read and crash in big2_toUtf8(). |
| 78 | #2958794: CVE-2012-1148 - Memory leak in poolGrow. |
| 79 | #2990652: CMake support. |
| 80 | #3010819: UNEXPECTED_STATE with a trailing "%" in entity value. |
| 81 | #3206497: Unitialized memory returned from XML_Parse. |
| 82 | #3287849: make check fails on mingw-w64. |
| 83 | #3496608: CVE-2012-0876 - Hash DOS attack. |
| 84 | - Patches: |
| 85 | #1749198: pkg-config support. |
| 86 | #3010222: Fix for bug #3010819. |
| 87 | #3312568: CMake support. |
| 88 | #3446384: Report byte offsets for attr names and values. |
| 89 | - New Features / API changes: |
Paul Duffin | cee2349 | 2016-05-04 10:42:31 +0100 | [diff] [blame] | 90 | Added new API member XML_SetHashSalt() that allows setting an initial |
Elliott Hughes | 35e432d | 2012-09-09 14:23:38 -0700 | [diff] [blame] | 91 | value (salt) for hash calculations. This is part of the fix for |
| 92 | bug #3496608 to randomize hash parameters. |
| 93 | When compiled with XML_ATTR_INFO defined, adds new API member |
| 94 | XML_GetAttributeInfo() that allows retrieving the byte |
| 95 | offsets for attribute names and values (patch #3446384). |
| 96 | Added CMake build system. |
| 97 | See bug #2990652 and patch #3312568. |
| 98 | Added run-benchmark target to Makefile.in - relies on testdata module |
| 99 | present in the same relative location as in the repository. |
| 100 | |
Elliott Hughes | d07d5a7 | 2009-09-25 16:04:37 -0700 | [diff] [blame] | 101 | Release 2.0.1 Tue June 5 2007 |
Elliott Hughes | 35e432d | 2012-09-09 14:23:38 -0700 | [diff] [blame] | 102 | - Fixed bugs #1515266, #1515600: The character data handler's calling |
Elliott Hughes | d07d5a7 | 2009-09-25 16:04:37 -0700 | [diff] [blame] | 103 | of XML_StopParser() was not handled properly; if the parser was |
| 104 | stopped and the handler set to NULL, the parser would segfault. |
| 105 | - Fixed bug #1690883: Expat failed on EBCDIC systems as it assumed |
| 106 | some character constants to be ASCII encoded. |
| 107 | - Minor cleanups of the test harness. |
| 108 | - Fixed xmlwf bug #1513566: "out of memory" error on file size zero. |
| 109 | - Fixed outline.c bug #1543233: missing a final XML_ParserFree() call. |
| 110 | - Fixes and improvements for Windows platform: |
Elliott Hughes | 35e432d | 2012-09-09 14:23:38 -0700 | [diff] [blame] | 111 | bugs #1409451, #1476160, #1548182, #1602769, #1717322. |
Elliott Hughes | d07d5a7 | 2009-09-25 16:04:37 -0700 | [diff] [blame] | 112 | - Build fixes for various platforms: |
| 113 | HP-UX, Tru64, Solaris 9: patch #1437840, bug #1196180. |
| 114 | All Unix: #1554618 (refreshed config.sub/config.guess). |
| 115 | #1490371, #1613457: support both, DESTDIR and INSTALL_ROOT, |
| 116 | without relying on GNU-Make specific features. |
| 117 | #1647805: Patched configure.in to work better with Intel compiler. |
| 118 | - Fixes to Makefile.in to have make check work correctly: |
| 119 | bugs #1408143, #1535603, #1536684. |
| 120 | - Added Open Watcom support: patch #1523242. |
| 121 | |
The Android Open Source Project | b80e287 | 2009-03-03 19:29:30 -0800 | [diff] [blame] | 122 | Release 2.0.0 Wed Jan 11 2006 |
| 123 | - We no longer use the "check" library for C unit testing; we |
| 124 | always use the (partial) internal implementation of the API. |
| 125 | - Report XML_NS setting via XML_GetFeatureList(). |
| 126 | - Fixed headers for use from C++. |
| 127 | - XML_GetCurrentLineNumber() and XML_GetCurrentColumnNumber() |
| 128 | now return unsigned integers. |
| 129 | - Added XML_LARGE_SIZE switch to enable 64-bit integers for |
| 130 | byte indexes and line/column numbers. |
| 131 | - Updated to use libtool 1.5.22 (the most recent). |
| 132 | - Added support for AmigaOS. |
Elliott Hughes | 35e432d | 2012-09-09 14:23:38 -0700 | [diff] [blame] | 133 | - Some mostly minor bug fixes. SF issues include: #1006708, |
| 134 | #1021776, #1023646, #1114960, #1156398, #1221160, #1271642. |
The Android Open Source Project | b80e287 | 2009-03-03 19:29:30 -0800 | [diff] [blame] | 135 | |
| 136 | Release 1.95.8 Fri Jul 23 2004 |
| 137 | - Major new feature: suspend/resume. Handlers can now request |
| 138 | that a parse be suspended for later resumption or aborted |
| 139 | altogether. See "Temporarily Stopping Parsing" in the |
| 140 | documentation for more details. |
| 141 | - Some mostly minor bug fixes, but compilation should no |
| 142 | longer generate warnings on most platforms. SF issues |
Elliott Hughes | 35e432d | 2012-09-09 14:23:38 -0700 | [diff] [blame] | 143 | include: #827319, #840173, #846309, #888329, #896188, #923913, |
| 144 | #928113, #961698, #985192. |
The Android Open Source Project | b80e287 | 2009-03-03 19:29:30 -0800 | [diff] [blame] | 145 | |
| 146 | Release 1.95.7 Mon Oct 20 2003 |
| 147 | - Fixed enum XML_Status issue (reported on SourceForge many |
| 148 | times), so compilers that are properly picky will be happy. |
| 149 | - Introduced an XMLCALL macro to control the calling |
| 150 | convention used by the Expat API; this macro should be used |
| 151 | to annotate prototypes and definitions of callback |
| 152 | implementations in code compiled with a calling convention |
| 153 | other than the default convention for the host platform. |
| 154 | - Improved ability to build without the configure-generated |
| 155 | expat_config.h header. This is useful for applications |
| 156 | which embed Expat rather than linking in the library. |
Elliott Hughes | 35e432d | 2012-09-09 14:23:38 -0700 | [diff] [blame] | 157 | - Fixed a variety of bugs: see SF issues #458907, #609603, |
| 158 | #676844, #679754, #692878, #692964, #695401, #699323, #699487, |
| 159 | #820946. |
The Android Open Source Project | b80e287 | 2009-03-03 19:29:30 -0800 | [diff] [blame] | 160 | - Improved hash table lookups. |
| 161 | - Added more regression tests and improved documentation. |
| 162 | |
| 163 | Release 1.95.6 Tue Jan 28 2003 |
| 164 | - Added XML_FreeContentModel(). |
| 165 | - Added XML_MemMalloc(), XML_MemRealloc(), XML_MemFree(). |
Elliott Hughes | 35e432d | 2012-09-09 14:23:38 -0700 | [diff] [blame] | 166 | - Fixed a variety of bugs: see SF issues #615606, #616863, |
| 167 | #618199, #653180, #673791. |
The Android Open Source Project | b80e287 | 2009-03-03 19:29:30 -0800 | [diff] [blame] | 168 | - Enhanced the regression test suite. |
Elliott Hughes | 35e432d | 2012-09-09 14:23:38 -0700 | [diff] [blame] | 169 | - Man page improvements: includes SF issue #632146. |
The Android Open Source Project | b80e287 | 2009-03-03 19:29:30 -0800 | [diff] [blame] | 170 | |
| 171 | Release 1.95.5 Fri Sep 6 2002 |
| 172 | - Added XML_UseForeignDTD() for improved SAX2 support. |
| 173 | - Added XML_GetFeatureList(). |
| 174 | - Defined XML_Bool type and the values XML_TRUE and XML_FALSE. |
| 175 | - Use an incomplete struct instead of a void* for the parser |
| 176 | (may not retain). |
| 177 | - Fixed UTF-8 decoding bug that caused legal UTF-8 to be rejected. |
| 178 | - Finally fixed bug where default handler would report DTD |
| 179 | events that were already handled by another handler. |
| 180 | Initial patch contributed by Darryl Miles. |
| 181 | - Removed unnecessary DllMain() function that caused static |
| 182 | linking into a DLL to be difficult. |
| 183 | - Added VC++ projects for building static libraries. |
| 184 | - Reduced line-length for all source code and headers to be |
| 185 | no longer than 80 characters, to help with AS/400 support. |
| 186 | - Reduced memory copying during parsing (SF patch #600964). |
Elliott Hughes | 35e432d | 2012-09-09 14:23:38 -0700 | [diff] [blame] | 187 | - Fixed a variety of bugs: see SF issues #580793, #434664, |
| 188 | #483514, #580503, #581069, #584041, #584183, #584832, #585537, |
| 189 | #596555, #596678, #598352, #598944, #599715, #600479, #600971. |
The Android Open Source Project | b80e287 | 2009-03-03 19:29:30 -0800 | [diff] [blame] | 190 | |
| 191 | Release 1.95.4 Fri Jul 12 2002 |
| 192 | - Added support for VMS, contributed by Craig Berry. See |
| 193 | vms/README.vms for more information. |
| 194 | - Added Mac OS (classic) support, with a makefile for MPW, |
| 195 | contributed by Thomas Wegner and Daryle Walker. |
| 196 | - Added Borland C++ Builder 5 / BCC 5.5 support, contributed |
| 197 | by Patrick McConnell (SF patch #538032). |
Elliott Hughes | 35e432d | 2012-09-09 14:23:38 -0700 | [diff] [blame] | 198 | - Fixed a variety of bugs: see SF issues #441449, #563184, |
| 199 | #564342, #566334, #566901, #569461, #570263, #575168, #579196. |
The Android Open Source Project | b80e287 | 2009-03-03 19:29:30 -0800 | [diff] [blame] | 200 | - Made skippedEntityHandler conform to SAX2 (see source comment) |
| 201 | - Re-implemented WFC: Entity Declared from XML 1.0 spec and |
| 202 | added a new error "entity declared in parameter entity": |
Elliott Hughes | 35e432d | 2012-09-09 14:23:38 -0700 | [diff] [blame] | 203 | see SF bug report #569461 and SF patch #578161 |
The Android Open Source Project | b80e287 | 2009-03-03 19:29:30 -0800 | [diff] [blame] | 204 | - Re-implemented section 5.1 from XML 1.0 spec: |
Elliott Hughes | 35e432d | 2012-09-09 14:23:38 -0700 | [diff] [blame] | 205 | see SF bug report #570263 and SF patch #578161 |
The Android Open Source Project | b80e287 | 2009-03-03 19:29:30 -0800 | [diff] [blame] | 206 | |
| 207 | Release 1.95.3 Mon Jun 3 2002 |
| 208 | - Added a project to the MSVC workspace to create a wchar_t |
| 209 | version of the library; the DLLs are named libexpatw.dll. |
| 210 | - Changed the name of the Windows DLLs from expat.dll to |
| 211 | libexpat.dll; this fixes SF bug #432456. |
| 212 | - Added the XML_ParserReset() API function. |
| 213 | - Fixed XML_SetReturnNSTriplet() to work for element names. |
| 214 | - Made the XML_UNICODE builds usable (thanks, Karl!). |
| 215 | - Allow xmlwf to read from standard input. |
| 216 | - Install a man page for xmlwf on Unix systems. |
Elliott Hughes | 35e432d | 2012-09-09 14:23:38 -0700 | [diff] [blame] | 217 | - Fixed many bugs; see SF bug reports #231864, #461380, #464837, |
| 218 | #466885, #469226, #477667, #484419, #487840, #494749, #496505, |
| 219 | #547350. Other bugs which we can't test as easily may also |
The Android Open Source Project | b80e287 | 2009-03-03 19:29:30 -0800 | [diff] [blame] | 220 | have been fixed, especially in the area of build support. |
| 221 | |
| 222 | Release 1.95.2 Fri Jul 27 2001 |
| 223 | - More changes to make MSVC happy with the build; add a single |
| 224 | workspace to support both the library and xmlwf application. |
| 225 | - Added a Windows installer for Windows users; includes |
| 226 | xmlwf.exe. |
| 227 | - Added compile-time constants that can be used to determine the |
| 228 | Expat version |
| 229 | - Removed a lot of GNU-specific dependencies to aide portability |
| 230 | among the various Unix flavors. |
| 231 | - Fix the UTF-8 BOM bug. |
| 232 | - Cleaned up warning messages for several compilers. |
| 233 | - Added the -Wall, -Wstrict-prototypes options for GCC. |
| 234 | |
| 235 | Release 1.95.1 Sun Oct 22 15:11:36 EDT 2000 |
| 236 | - Changes to get expat to build under Microsoft compiler |
| 237 | - Removed all aborts and instead return an UNEXPECTED_STATE error. |
| 238 | - Fixed a bug where a stray '%' in an entity value would cause an |
| 239 | abort. |
| 240 | - Defined XML_SetEndNamespaceDeclHandler. Thanks to Darryl Miles for |
| 241 | finding this oversight. |
| 242 | - Changed default patterns in lib/Makefile.in to fit non-GNU makes |
| 243 | Thanks to robin@unrated.net for reporting and providing an |
| 244 | account to test on. |
| 245 | - The reference had the wrong label for XML_SetStartNamespaceDecl. |
| 246 | Reported by an anonymous user. |
| 247 | |
| 248 | Release 1.95.0 Fri Sep 29 2000 |
| 249 | - XML_ParserCreate_MM |
| 250 | Allows you to set a memory management suite to replace the |
| 251 | standard malloc,realloc, and free. |
| 252 | - XML_SetReturnNSTriplet |
| 253 | If you turn this feature on when namespace processing is in |
| 254 | effect, then qualified, prefixed element and attribute names |
| 255 | are returned as "uri|name|prefix" where '|' is whatever |
| 256 | separator character is used in namespace processing. |
| 257 | - Merged in features from perl-expat |
| 258 | o XML_SetElementDeclHandler |
| 259 | o XML_SetAttlistDeclHandler |
| 260 | o XML_SetXmlDeclHandler |
| 261 | o XML_SetEntityDeclHandler |
| 262 | o StartDoctypeDeclHandler takes 3 additional parameters: |
| 263 | sysid, pubid, has_internal_subset |
| 264 | o Many paired handler setters (like XML_SetElementHandler) |
| 265 | now have corresponding individual handler setters |
| 266 | o XML_GetInputContext for getting the input context of |
| 267 | the current parse position. |
| 268 | - Added reference material |
| 269 | - Packaged into a distribution that builds a sharable library |