1Release 2.2.0 Tue June 21 2016 2 Security fixes: 3 #537 CVE-2016-0718 -- Fix crash on malformed input 4 CVE-2016-4472 -- Improve insufficient fix to CVE-2015-1283 / 5 CVE-2015-2716 introduced with Expat 2.1.1 6 #499 CVE-2016-5300 -- Use more entropy for hash initialization 7 than the original fix to CVE-2012-0876 8 #519 CVE-2012-6702 -- Resolve troublesome internal call to srand 9 that was introduced with Expat 2.1.0 10 when addressing CVE-2012-0876 (issue #496) 11 12 Bug fixes: 13 Fix uninitialized reads of size 1 14 (e.g. in little2_updatePosition) 15 Fix detection of UTF-8 character boundaries 16 17 Other changes: 18 #532 Fix compilation for Visual Studio 2010 (keyword "C99") 19 Autotools: Resolve use of "$<" to better support bmake 20 Autotools: Add QA script "qa.sh" (and make target "qa") 21 Autotools: Respect CXXFLAGS if given 22 Autotools: Fix "make run-xmltest" 23 Autotools: Have "make run-xmltest" check for expected output 24 p90 CMake: Fix static build (BUILD_shared=OFF) on Windows 25 #536 CMake: Add soversion, support -DNO_SONAME=yes to bypass 26 #323 CMake: Add suffix "d" to differentiate debug from release 27 CMake: Define WIN32 with CMake on Windows 28 Annotate memory allocators for GCC 29 Address all currently known compile warnings 30 Make sure that API symbols remain visible despite 31 -fvisibility=hidden 32 Remove executable flag from source files 33 Resolve COMPILED_FROM_DSP in favor of WIN32 34 35 Special thanks to: 36 Bj��rn Lindahl 37 Christian Heimes 38 Cristian Rodr��guez 39 Daniel Kr��gler 40 Gustavo Grieco 41 Karl Waclawek 42 L��szl�� B��sz��rm��nyi 43 Marco Grassi 44 Pascal Cuoq 45 Sergei Nikulov 46 Thomas Beutlich 47 Warren Young 48 Yann Droneaud 49 50Release 2.1.1 Sat March 12 2016 51 Security fixes: 52 #582: CVE-2015-1283 - Multiple integer overflows in XML_GetBuffer 53 54 Bug fixes: 55 #502: Fix potential null pointer dereference 56 #520: Symbol XML_SetHashSalt was not exported 57 Output of "xmlwf -h" was incomplete 58 59 Other changes: 60 #503: Document behavior of calling XML_SetHashSalt with salt 0 61 Minor improvements to man page xmlwf(1) 62 Improvements to the experimental CMake build system 63 libtool now invoked with --verbose 64 65Release 2.1.0 Sat March 24 2012 66 - Bug Fixes: 67 #1742315: Harmful XML_ParserCreateNS suggestion. 68 #2895533: CVE-2012-1147 - Resource leak in readfilemap.c. 69 #1785430: Expat build fails on linux-amd64 with gcc version>=4.1 -O3. 70 #1983953, 2517952, 2517962, 2649838: 71 Build modifications using autoreconf instead of buildconf.sh. 72 #2815947, #2884086: OBJEXT and EXEEXT support while building. 73 #1990430: CVE-2009-3720 - Parser crash with special UTF-8 sequences. 74 #2517938: xmlwf should return non-zero exit status if not well-formed. 75 #2517946: Wrong statement about XMLDecl in xmlwf.1 and xmlwf.sgml. 76 #2855609: Dangling positionPtr after error. 77 #2894085: CVE-2009-3560 - Buffer over-read and crash in big2_toUtf8(). 78 #2958794: CVE-2012-1148 - Memory leak in poolGrow. 79 #2990652: CMake support. 80 #3010819: UNEXPECTED_STATE with a trailing "%" in entity value. 81 #3206497: Unitialized memory returned from XML_Parse. 82 #3287849: make check fails on mingw-w64. 83 #3496608: CVE-2012-0876 - Hash DOS attack. 84 - Patches: 85 #1749198: pkg-config support. 86 #3010222: Fix for bug #3010819. 87 #3312568: CMake support. 88 #3446384: Report byte offsets for attr names and values. 89 - New Features / API changes: 90 Added new API member XML_SetHashSalt() that allows setting an initial 91 value (salt) for hash calculations. This is part of the fix for 92 bug #3496608 to randomize hash parameters. 93 When compiled with XML_ATTR_INFO defined, adds new API member 94 XML_GetAttributeInfo() that allows retrieving the byte 95 offsets for attribute names and values (patch #3446384). 96 Added CMake build system. 97 See bug #2990652 and patch #3312568. 98 Added run-benchmark target to Makefile.in - relies on testdata module 99 present in the same relative location as in the repository. 100 101Release 2.0.1 Tue June 5 2007 102 - Fixed bugs #1515266, #1515600: The character data handler's calling 103 of XML_StopParser() was not handled properly; if the parser was 104 stopped and the handler set to NULL, the parser would segfault. 105 - Fixed bug #1690883: Expat failed on EBCDIC systems as it assumed 106 some character constants to be ASCII encoded. 107 - Minor cleanups of the test harness. 108 - Fixed xmlwf bug #1513566: "out of memory" error on file size zero. 109 - Fixed outline.c bug #1543233: missing a final XML_ParserFree() call. 110 - Fixes and improvements for Windows platform: 111 bugs #1409451, #1476160, #1548182, #1602769, #1717322. 112 - Build fixes for various platforms: 113 HP-UX, Tru64, Solaris 9: patch #1437840, bug #1196180. 114 All Unix: #1554618 (refreshed config.sub/config.guess). 115 #1490371, #1613457: support both, DESTDIR and INSTALL_ROOT, 116 without relying on GNU-Make specific features. 117 #1647805: Patched configure.in to work better with Intel compiler. 118 - Fixes to Makefile.in to have make check work correctly: 119 bugs #1408143, #1535603, #1536684. 120 - Added Open Watcom support: patch #1523242. 121 122Release 2.0.0 Wed Jan 11 2006 123 - We no longer use the "check" library for C unit testing; we 124 always use the (partial) internal implementation of the API. 125 - Report XML_NS setting via XML_GetFeatureList(). 126 - Fixed headers for use from C++. 127 - XML_GetCurrentLineNumber() and XML_GetCurrentColumnNumber() 128 now return unsigned integers. 129 - Added XML_LARGE_SIZE switch to enable 64-bit integers for 130 byte indexes and line/column numbers. 131 - Updated to use libtool 1.5.22 (the most recent). 132 - Added support for AmigaOS. 133 - Some mostly minor bug fixes. SF issues include: #1006708, 134 #1021776, #1023646, #1114960, #1156398, #1221160, #1271642. 135 136Release 1.95.8 Fri Jul 23 2004 137 - Major new feature: suspend/resume. Handlers can now request 138 that a parse be suspended for later resumption or aborted 139 altogether. See "Temporarily Stopping Parsing" in the 140 documentation for more details. 141 - Some mostly minor bug fixes, but compilation should no 142 longer generate warnings on most platforms. SF issues 143 include: #827319, #840173, #846309, #888329, #896188, #923913, 144 #928113, #961698, #985192. 145 146Release 1.95.7 Mon Oct 20 2003 147 - Fixed enum XML_Status issue (reported on SourceForge many 148 times), so compilers that are properly picky will be happy. 149 - Introduced an XMLCALL macro to control the calling 150 convention used by the Expat API; this macro should be used 151 to annotate prototypes and definitions of callback 152 implementations in code compiled with a calling convention 153 other than the default convention for the host platform. 154 - Improved ability to build without the configure-generated 155 expat_config.h header. This is useful for applications 156 which embed Expat rather than linking in the library. 157 - Fixed a variety of bugs: see SF issues #458907, #609603, 158 #676844, #679754, #692878, #692964, #695401, #699323, #699487, 159 #820946. 160 - Improved hash table lookups. 161 - Added more regression tests and improved documentation. 162 163Release 1.95.6 Tue Jan 28 2003 164 - Added XML_FreeContentModel(). 165 - Added XML_MemMalloc(), XML_MemRealloc(), XML_MemFree(). 166 - Fixed a variety of bugs: see SF issues #615606, #616863, 167 #618199, #653180, #673791. 168 - Enhanced the regression test suite. 169 - Man page improvements: includes SF issue #632146. 170 171Release 1.95.5 Fri Sep 6 2002 172 - Added XML_UseForeignDTD() for improved SAX2 support. 173 - Added XML_GetFeatureList(). 174 - Defined XML_Bool type and the values XML_TRUE and XML_FALSE. 175 - Use an incomplete struct instead of a void* for the parser 176 (may not retain). 177 - Fixed UTF-8 decoding bug that caused legal UTF-8 to be rejected. 178 - Finally fixed bug where default handler would report DTD 179 events that were already handled by another handler. 180 Initial patch contributed by Darryl Miles. 181 - Removed unnecessary DllMain() function that caused static 182 linking into a DLL to be difficult. 183 - Added VC++ projects for building static libraries. 184 - Reduced line-length for all source code and headers to be 185 no longer than 80 characters, to help with AS/400 support. 186 - Reduced memory copying during parsing (SF patch #600964). 187 - Fixed a variety of bugs: see SF issues #580793, #434664, 188 #483514, #580503, #581069, #584041, #584183, #584832, #585537, 189 #596555, #596678, #598352, #598944, #599715, #600479, #600971. 190 191Release 1.95.4 Fri Jul 12 2002 192 - Added support for VMS, contributed by Craig Berry. See 193 vms/README.vms for more information. 194 - Added Mac OS (classic) support, with a makefile for MPW, 195 contributed by Thomas Wegner and Daryle Walker. 196 - Added Borland C++ Builder 5 / BCC 5.5 support, contributed 197 by Patrick McConnell (SF patch #538032). 198 - Fixed a variety of bugs: see SF issues #441449, #563184, 199 #564342, #566334, #566901, #569461, #570263, #575168, #579196. 200 - Made skippedEntityHandler conform to SAX2 (see source comment) 201 - Re-implemented WFC: Entity Declared from XML 1.0 spec and 202 added a new error "entity declared in parameter entity": 203 see SF bug report #569461 and SF patch #578161 204 - Re-implemented section 5.1 from XML 1.0 spec: 205 see SF bug report #570263 and SF patch #578161 206 207Release 1.95.3 Mon Jun 3 2002 208 - Added a project to the MSVC workspace to create a wchar_t 209 version of the library; the DLLs are named libexpatw.dll. 210 - Changed the name of the Windows DLLs from expat.dll to 211 libexpat.dll; this fixes SF bug #432456. 212 - Added the XML_ParserReset() API function. 213 - Fixed XML_SetReturnNSTriplet() to work for element names. 214 - Made the XML_UNICODE builds usable (thanks, Karl!). 215 - Allow xmlwf to read from standard input. 216 - Install a man page for xmlwf on Unix systems. 217 - Fixed many bugs; see SF bug reports #231864, #461380, #464837, 218 #466885, #469226, #477667, #484419, #487840, #494749, #496505, 219 #547350. Other bugs which we can't test as easily may also 220 have been fixed, especially in the area of build support. 221 222Release 1.95.2 Fri Jul 27 2001 223 - More changes to make MSVC happy with the build; add a single 224 workspace to support both the library and xmlwf application. 225 - Added a Windows installer for Windows users; includes 226 xmlwf.exe. 227 - Added compile-time constants that can be used to determine the 228 Expat version 229 - Removed a lot of GNU-specific dependencies to aide portability 230 among the various Unix flavors. 231 - Fix the UTF-8 BOM bug. 232 - Cleaned up warning messages for several compilers. 233 - Added the -Wall, -Wstrict-prototypes options for GCC. 234 235Release 1.95.1 Sun Oct 22 15:11:36 EDT 2000 236 - Changes to get expat to build under Microsoft compiler 237 - Removed all aborts and instead return an UNEXPECTED_STATE error. 238 - Fixed a bug where a stray '%' in an entity value would cause an 239 abort. 240 - Defined XML_SetEndNamespaceDeclHandler. Thanks to Darryl Miles for 241 finding this oversight. 242 - Changed default patterns in lib/Makefile.in to fit non-GNU makes 243 Thanks to robin@unrated.net for reporting and providing an 244 account to test on. 245 - The reference had the wrong label for XML_SetStartNamespaceDecl. 246 Reported by an anonymous user. 247 248Release 1.95.0 Fri Sep 29 2000 249 - XML_ParserCreate_MM 250 Allows you to set a memory management suite to replace the 251 standard malloc,realloc, and free. 252 - XML_SetReturnNSTriplet 253 If you turn this feature on when namespace processing is in 254 effect, then qualified, prefixed element and attribute names 255 are returned as "uri|name|prefix" where '|' is whatever 256 separator character is used in namespace processing. 257 - Merged in features from perl-expat 258 o XML_SetElementDeclHandler 259 o XML_SetAttlistDeclHandler 260 o XML_SetXmlDeclHandler 261 o XML_SetEntityDeclHandler 262 o StartDoctypeDeclHandler takes 3 additional parameters: 263 sysid, pubid, has_internal_subset 264 o Many paired handler setters (like XML_SetElementHandler) 265 now have corresponding individual handler setters 266 o XML_GetInputContext for getting the input context of 267 the current parse position. 268 - Added reference material 269 - Packaged into a distribution that builds a sharable library 270