xref: /freebsd-10-stable/contrib/expat/Changes

Release 2.2.0 Tue June 21 2016
        Security fixes:
            #537  CVE-2016-0718 -- Fix crash on malformed input
                  CVE-2016-4472 -- Improve insufficient fix to CVE-2015-1283 /
                                   CVE-2015-2716 introduced with Expat 2.1.1
            #499  CVE-2016-5300 -- Use more entropy for hash initialization
                                   than the original fix to CVE-2012-0876
            #519  CVE-2012-6702 -- Resolve troublesome internal call to srand
                                   that was introduced with Expat 2.1.0
                                   when addressing CVE-2012-0876 (issue #496)

        Bug fixes:
                  Fix uninitialized reads of size 1
                    (e.g. in little2_updatePosition)
                  Fix detection of UTF-8 character boundaries

        Other changes:
            #532  Fix compilation for Visual Studio 2010 (keyword "C99")
                  Autotools: Resolve use of "$<" to better support bmake
                  Autotools: Add QA script "qa.sh" (and make target "qa")
                  Autotools: Respect CXXFLAGS if given
                  Autotools: Fix "make run-xmltest"
                  Autotools: Have "make run-xmltest" check for expected output
             p90  CMake: Fix static build (BUILD_shared=OFF) on Windows
            #536  CMake: Add soversion, support -DNO_SONAME=yes to bypass
            #323  CMake: Add suffix "d" to differentiate debug from release
                  CMake: Define WIN32 with CMake on Windows
                  Annotate memory allocators for GCC
                  Address all currently known compile warnings
                  Make sure that API symbols remain visible despite
                    -fvisibility=hidden
                  Remove executable flag from source files
                  Resolve COMPILED_FROM_DSP in favor of WIN32

        Special thanks to:
            Bj��rn Lindahl
            Christian Heimes
            Cristian Rodr��guez
            Daniel Kr��gler
            Gustavo Grieco
            Karl Waclawek
            L��szl�� B��sz��rm��nyi
            Marco Grassi
            Pascal Cuoq
            Sergei Nikulov
            Thomas Beutlich
            Warren Young
            Yann Droneaud

Release 2.1.1 Sat March 12 2016
        Security fixes:
            #582: CVE-2015-1283 - Multiple integer overflows in XML_GetBuffer

        Bug fixes:
            #502: Fix potential null pointer dereference
            #520: Symbol XML_SetHashSalt was not exported
            Output of "xmlwf -h" was incomplete

        Other changes:
            #503: Document behavior of calling XML_SetHashSalt with salt 0
            Minor improvements to man page xmlwf(1)
            Improvements to the experimental CMake build system
            libtool now invoked with --verbose

Release 2.1.0 Sat March 24 2012
        - Bug Fixes:
          #1742315: Harmful XML_ParserCreateNS suggestion.
          #2895533: CVE-2012-1147 - Resource leak in readfilemap.c.
          #1785430: Expat build fails on linux-amd64 with gcc version>=4.1 -O3.
          #1983953, 2517952, 2517962, 2649838: 
                Build modifications using autoreconf instead of buildconf.sh.
          #2815947, #2884086: OBJEXT and EXEEXT support while building.
          #1990430: CVE-2009-3720 - Parser crash with special UTF-8 sequences.
          #2517938: xmlwf should return non-zero exit status if not well-formed.
          #2517946: Wrong statement about XMLDecl in xmlwf.1 and xmlwf.sgml.
          #2855609: Dangling positionPtr after error.
          #2894085: CVE-2009-3560 - Buffer over-read and crash in big2_toUtf8().
          #2958794: CVE-2012-1148 - Memory leak in poolGrow.
          #2990652: CMake support.
          #3010819: UNEXPECTED_STATE with a trailing "%" in entity value.
          #3206497: Unitialized memory returned from XML_Parse.
          #3287849: make check fails on mingw-w64.
          #3496608: CVE-2012-0876 - Hash DOS attack.
        - Patches:
          #1749198: pkg-config support.
          #3010222: Fix for bug #3010819.
          #3312568: CMake support.
          #3446384: Report byte offsets for attr names and values.
        - New Features / API changes:
          Added new API member XML_SetHashSalt() that allows setting an initial
                value (salt) for hash calculations. This is part of the fix for
                bug #3496608 to randomize hash parameters.
          When compiled with XML_ATTR_INFO defined, adds new API member
                XML_GetAttributeInfo() that allows retrieving the byte
                offsets for attribute names and values (patch #3446384).
          Added CMake build system.
                See bug #2990652 and patch #3312568.
          Added run-benchmark target to Makefile.in - relies on testdata module
                present in the same relative location as in the repository.
          
Release 2.0.1 Tue June 5 2007
        - Fixed bugs #1515266, #1515600: The character data handler's calling
          of XML_StopParser() was not handled properly; if the parser was
          stopped and the handler set to NULL, the parser would segfault.
        - Fixed bug #1690883: Expat failed on EBCDIC systems as it assumed
          some character constants to be ASCII encoded.
        - Minor cleanups of the test harness.
        - Fixed xmlwf bug #1513566: "out of memory" error on file size zero.
        - Fixed outline.c bug #1543233: missing a final XML_ParserFree() call.
        - Fixes and improvements for Windows platform:
          bugs #1409451, #1476160, #1548182, #1602769, #1717322.
        - Build fixes for various platforms:
          HP-UX, Tru64, Solaris 9: patch #1437840, bug #1196180.
          All Unix: #1554618 (refreshed config.sub/config.guess).
                    #1490371, #1613457: support both, DESTDIR and INSTALL_ROOT,
                    without relying on GNU-Make specific features.
          #1647805: Patched configure.in to work better with Intel compiler.
        - Fixes to Makefile.in to have make check work correctly:
          bugs #1408143, #1535603, #1536684.
        - Added Open Watcom support: patch #1523242.

Release 2.0.0 Wed Jan 11 2006
        - We no longer use the "check" library for C unit testing; we
          always use the (partial) internal implementation of the API.
        - Report XML_NS setting via XML_GetFeatureList().
        - Fixed headers for use from C++.
        - XML_GetCurrentLineNumber() and  XML_GetCurrentColumnNumber()
          now return unsigned integers.
        - Added XML_LARGE_SIZE switch to enable 64-bit integers for
          byte indexes and line/column numbers.
        - Updated to use libtool 1.5.22 (the most recent).
        - Added support for AmigaOS.
        - Some mostly minor bug fixes. SF issues include: #1006708,
          #1021776, #1023646, #1114960, #1156398, #1221160, #1271642.

Release 1.95.8 Fri Jul 23 2004
        - Major new feature: suspend/resume.  Handlers can now request
          that a parse be suspended for later resumption or aborted
          altogether.  See "Temporarily Stopping Parsing" in the
          documentation for more details.
        - Some mostly minor bug fixes, but compilation should no
          longer generate warnings on most platforms.  SF issues
          include: #827319, #840173, #846309, #888329, #896188, #923913,
          #928113, #961698, #985192.

Release 1.95.7 Mon Oct 20 2003
        - Fixed enum XML_Status issue (reported on SourceForge many
          times), so compilers that are properly picky will be happy.
        - Introduced an XMLCALL macro to control the calling
          convention used by the Expat API; this macro should be used
          to annotate prototypes and definitions of callback
          implementations in code compiled with a calling convention
          other than the default convention for the host platform.
        - Improved ability to build without the configure-generated
          expat_config.h header.  This is useful for applications
          which embed Expat rather than linking in the library.
        - Fixed a variety of bugs: see SF issues #458907, #609603,
          #676844, #679754, #692878, #692964, #695401, #699323, #699487,
          #820946.
        - Improved hash table lookups.
        - Added more regression tests and improved documentation.

Release 1.95.6 Tue Jan 28 2003
        - Added XML_FreeContentModel().
        - Added XML_MemMalloc(), XML_MemRealloc(), XML_MemFree().
        - Fixed a variety of bugs: see SF issues #615606, #616863,
          #618199, #653180, #673791.
        - Enhanced the regression test suite.
        - Man page improvements: includes SF issue #632146.

Release 1.95.5 Fri Sep 6 2002
        - Added XML_UseForeignDTD() for improved SAX2 support.
        - Added XML_GetFeatureList().
        - Defined XML_Bool type and the values XML_TRUE and XML_FALSE.
        - Use an incomplete struct instead of a void* for the parser
          (may not retain).
        - Fixed UTF-8 decoding bug that caused legal UTF-8 to be rejected.
        - Finally fixed bug where default handler would report DTD
          events that were already handled by another handler.
          Initial patch contributed by Darryl Miles.
        - Removed unnecessary DllMain() function that caused static
          linking into a DLL to be difficult.
        - Added VC++ projects for building static libraries.
        - Reduced line-length for all source code and headers to be
          no longer than 80 characters, to help with AS/400 support.
        - Reduced memory copying during parsing (SF patch #600964).
        - Fixed a variety of bugs: see SF issues #580793, #434664,
          #483514, #580503, #581069, #584041, #584183, #584832, #585537,
          #596555, #596678, #598352, #598944, #599715, #600479, #600971.

Release 1.95.4 Fri Jul 12 2002
        - Added support for VMS, contributed by Craig Berry.  See
          vms/README.vms for more information.
        - Added Mac OS (classic) support, with a makefile for MPW,
          contributed by Thomas Wegner and Daryle Walker.
        - Added Borland C++ Builder 5 / BCC 5.5 support, contributed
          by Patrick McConnell (SF patch #538032).
        - Fixed a variety of bugs: see SF issues #441449, #563184,
          #564342, #566334, #566901, #569461, #570263, #575168, #579196.
        - Made skippedEntityHandler conform to SAX2 (see source comment)
        - Re-implemented WFC: Entity Declared from XML 1.0 spec and
          added a new error "entity declared in parameter entity":
          see SF bug report #569461 and SF patch #578161
        - Re-implemented section 5.1 from XML 1.0 spec:
          see SF bug report #570263 and SF patch #578161

Release 1.95.3 Mon Jun 3 2002
        - Added a project to the MSVC workspace to create a wchar_t
          version of the library; the DLLs are named libexpatw.dll.
        - Changed the name of the Windows DLLs from expat.dll to
          libexpat.dll; this fixes SF bug #432456.
        - Added the XML_ParserReset() API function.
        - Fixed XML_SetReturnNSTriplet() to work for element names.
        - Made the XML_UNICODE builds usable (thanks, Karl!).
        - Allow xmlwf to read from standard input.
        - Install a man page for xmlwf on Unix systems.
        - Fixed many bugs; see SF bug reports #231864, #461380, #464837,
          #466885, #469226, #477667, #484419, #487840, #494749, #496505,
          #547350.  Other bugs which we can't test as easily may also
          have been fixed, especially in the area of build support.

Release 1.95.2 Fri Jul 27 2001
        - More changes to make MSVC happy with the build; add a single
          workspace to support both the library and xmlwf application.
        - Added a Windows installer for Windows users; includes
          xmlwf.exe.
        - Added compile-time constants that can be used to determine the
          Expat version
        - Removed a lot of GNU-specific dependencies to aide portability
          among the various Unix flavors.
        - Fix the UTF-8 BOM bug.
        - Cleaned up warning messages for several compilers.
        - Added the -Wall, -Wstrict-prototypes options for GCC.

Release 1.95.1 Sun Oct 22 15:11:36 EDT 2000
        - Changes to get expat to build under Microsoft compiler
        - Removed all aborts and instead return an UNEXPECTED_STATE error.
        - Fixed a bug where a stray '%' in an entity value would cause an
          abort.
        - Defined XML_SetEndNamespaceDeclHandler. Thanks to Darryl Miles for
          finding this oversight.
        - Changed default patterns in lib/Makefile.in to fit non-GNU makes
          Thanks to robin@unrated.net for reporting and providing an
          account to test on.
        - The reference had the wrong label for XML_SetStartNamespaceDecl.
          Reported by an anonymous user.

Release 1.95.0 Fri Sep 29 2000
        - XML_ParserCreate_MM
                Allows you to set a memory management suite to replace the
                standard malloc,realloc, and free.
        - XML_SetReturnNSTriplet
                If you turn this feature on when namespace processing is in
                effect, then qualified, prefixed element and attribute names
                are returned as "uri|name|prefix" where '|' is whatever
                separator character is used in namespace processing.
        - Merged in features from perl-expat
                o XML_SetElementDeclHandler
                o XML_SetAttlistDeclHandler
                o XML_SetXmlDeclHandler
                o XML_SetEntityDeclHandler
                o StartDoctypeDeclHandler takes 3 additional parameters:
                        sysid, pubid, has_internal_subset
                o Many paired handler setters (like XML_SetElementHandler)
                  now have corresponding individual handler setters
                o XML_GetInputContext for getting the input context of
                  the current parse position.
        - Added reference material
        - Packaged into a distribution that builds a sharable library