1 Release 2.1.1 Sat March 12 2016 2 Security fixes: 3 #582: CVE-2015-1283 - Multiple integer overflows in XML_GetBuffer 4 5 Bug fixes: 6 #502: Fix potential null pointer dereference 7 #520: Symbol XML_SetHashSalt was not exported 8 Output of "xmlwf -h" was incomplete 9 10 Other changes 11 #503: Document behavior of calling XML_SetHashSalt with salt 0 12 Minor improvements to man page xmlwf(1) 13 Improvements to the experimental CMake build system 14 libtool now invoked with --verbose 15 16 Release 2.1.0 Sat March 24 2012 17 - Bug Fixes: 18 #1742315: Harmful XML_ParserCreateNS suggestion. 19 #2895533: CVE-2012-1147 - Resource leak in readfilemap.c. 20 #1785430: Expat build fails on linux-amd64 with gcc version>=4.1 -O3. 21 #1983953, 2517952, 2517962, 2649838: 22 Build modifications using autoreconf instead of buildconf.sh. 23 #2815947, #2884086: OBJEXT and EXEEXT support while building. 24 #1990430: CVE-2009-3720 - Parser crash with special UTF-8 sequences. 25 #2517938: xmlwf should return non-zero exit status if not well-formed. 26 #2517946: Wrong statement about XMLDecl in xmlwf.1 and xmlwf.sgml. 27 #2855609: Dangling positionPtr after error. 28 #2894085: CVE-2009-3560 - Buffer over-read and crash in big2_toUtf8(). 29 #2958794: CVE-2012-1148 - Memory leak in poolGrow. 30 #2990652: CMake support. 31 #3010819: UNEXPECTED_STATE with a trailing "%" in entity value. 32 #3206497: Unitialized memory returned from XML_Parse. 33 #3287849: make check fails on mingw-w64. 34 #3496608: CVE-2012-0876 - Hash DOS attack. 35 - Patches: 36 #1749198: pkg-config support. 37 #3010222: Fix for bug #3010819. 38 #3312568: CMake support. 39 #3446384: Report byte offsets for attr names and values. 40 - New Features / API changes: 41 Added new API member XML_SetHashSalt() that allows setting an initial 42 value (salt) for hash calculations. This is part of the fix for 43 bug #3496608 to randomize hash parameters. 44 When compiled with XML_ATTR_INFO defined, adds new API member 45 XML_GetAttributeInfo() that allows retrieving the byte 46 offsets for attribute names and values (patch #3446384). 47 Added CMake build system. 48 See bug #2990652 and patch #3312568. 49 Added run-benchmark target to Makefile.in - relies on testdata module 50 present in the same relative location as in the repository. 51 52 Release 2.0.1 Tue June 5 2007 53 - Fixed bugs #1515266, #1515600: The character data handler's calling 54 of XML_StopParser() was not handled properly; if the parser was 55 stopped and the handler set to NULL, the parser would segfault. 56 - Fixed bug #1690883: Expat failed on EBCDIC systems as it assumed 57 some character constants to be ASCII encoded. 58 - Minor cleanups of the test harness. 59 - Fixed xmlwf bug #1513566: "out of memory" error on file size zero. 60 - Fixed outline.c bug #1543233: missing a final XML_ParserFree() call. 61 - Fixes and improvements for Windows platform: 62 bugs #1409451, #1476160, #1548182, #1602769, #1717322. 63 - Build fixes for various platforms: 64 HP-UX, Tru64, Solaris 9: patch #1437840, bug #1196180. 65 All Unix: #1554618 (refreshed config.sub/config.guess). 66 #1490371, #1613457: support both, DESTDIR and INSTALL_ROOT, 67 without relying on GNU-Make specific features. 68 #1647805: Patched configure.in to work better with Intel compiler. 69 - Fixes to Makefile.in to have make check work correctly: 70 bugs #1408143, #1535603, #1536684. 71 - Added Open Watcom support: patch #1523242. 72 73 Release 2.0.0 Wed Jan 11 2006 74 - We no longer use the "check" library for C unit testing; we 75 always use the (partial) internal implementation of the API. 76 - Report XML_NS setting via XML_GetFeatureList(). 77 - Fixed headers for use from C++. 78 - XML_GetCurrentLineNumber() and XML_GetCurrentColumnNumber() 79 now return unsigned integers. 80 - Added XML_LARGE_SIZE switch to enable 64-bit integers for 81 byte indexes and line/column numbers. 82 - Updated to use libtool 1.5.22 (the most recent). 83 - Added support for AmigaOS. 84 - Some mostly minor bug fixes. SF issues include: #1006708, 85 #1021776, #1023646, #1114960, #1156398, #1221160, #1271642. 86 87 Release 1.95.8 Fri Jul 23 2004 88 - Major new feature: suspend/resume. Handlers can now request 89 that a parse be suspended for later resumption or aborted 90 altogether. See "Temporarily Stopping Parsing" in the 91 documentation for more details. 92 - Some mostly minor bug fixes, but compilation should no 93 longer generate warnings on most platforms. SF issues 94 include: #827319, #840173, #846309, #888329, #896188, #923913, 95 #928113, #961698, #985192. 96 97 Release 1.95.7 Mon Oct 20 2003 98 - Fixed enum XML_Status issue (reported on SourceForge many 99 times), so compilers that are properly picky will be happy. 100 - Introduced an XMLCALL macro to control the calling 101 convention used by the Expat API; this macro should be used 102 to annotate prototypes and definitions of callback 103 implementations in code compiled with a calling convention 104 other than the default convention for the host platform. 105 - Improved ability to build without the configure-generated 106 expat_config.h header. This is useful for applications 107 which embed Expat rather than linking in the library. 108 - Fixed a variety of bugs: see SF issues #458907, #609603, 109 #676844, #679754, #692878, #692964, #695401, #699323, #699487, 110 #820946. 111 - Improved hash table lookups. 112 - Added more regression tests and improved documentation. 113 114 Release 1.95.6 Tue Jan 28 2003 115 - Added XML_FreeContentModel(). 116 - Added XML_MemMalloc(), XML_MemRealloc(), XML_MemFree(). 117 - Fixed a variety of bugs: see SF issues #615606, #616863, 118 #618199, #653180, #673791. 119 - Enhanced the regression test suite. 120 - Man page improvements: includes SF issue #632146. 121 122 Release 1.95.5 Fri Sep 6 2002 123 - Added XML_UseForeignDTD() for improved SAX2 support. 124 - Added XML_GetFeatureList(). 125 - Defined XML_Bool type and the values XML_TRUE and XML_FALSE. 126 - Use an incomplete struct instead of a void* for the parser 127 (may not retain). 128 - Fixed UTF-8 decoding bug that caused legal UTF-8 to be rejected. 129 - Finally fixed bug where default handler would report DTD 130 events that were already handled by another handler. 131 Initial patch contributed by Darryl Miles. 132 - Removed unnecessary DllMain() function that caused static 133 linking into a DLL to be difficult. 134 - Added VC++ projects for building static libraries. 135 - Reduced line-length for all source code and headers to be 136 no longer than 80 characters, to help with AS/400 support. 137 - Reduced memory copying during parsing (SF patch #600964). 138 - Fixed a variety of bugs: see SF issues #580793, #434664, 139 #483514, #580503, #581069, #584041, #584183, #584832, #585537, 140 #596555, #596678, #598352, #598944, #599715, #600479, #600971. 141 142 Release 1.95.4 Fri Jul 12 2002 143 - Added support for VMS, contributed by Craig Berry. See 144 vms/README.vms for more information. 145 - Added Mac OS (classic) support, with a makefile for MPW, 146 contributed by Thomas Wegner and Daryle Walker. 147 - Added Borland C++ Builder 5 / BCC 5.5 support, contributed 148 by Patrick McConnell (SF patch #538032). 149 - Fixed a variety of bugs: see SF issues #441449, #563184, 150 #564342, #566334, #566901, #569461, #570263, #575168, #579196. 151 - Made skippedEntityHandler conform to SAX2 (see source comment) 152 - Re-implemented WFC: Entity Declared from XML 1.0 spec and 153 added a new error "entity declared in parameter entity": 154 see SF bug report #569461 and SF patch #578161 155 - Re-implemented section 5.1 from XML 1.0 spec: 156 see SF bug report #570263 and SF patch #578161 157 158 Release 1.95.3 Mon Jun 3 2002 159 - Added a project to the MSVC workspace to create a wchar_t 160 version of the library; the DLLs are named libexpatw.dll. 161 - Changed the name of the Windows DLLs from expat.dll to 162 libexpat.dll; this fixes SF bug #432456. 163 - Added the XML_ParserReset() API function. 164 - Fixed XML_SetReturnNSTriplet() to work for element names. 165 - Made the XML_UNICODE builds usable (thanks, Karl!). 166 - Allow xmlwf to read from standard input. 167 - Install a man page for xmlwf on Unix systems. 168 - Fixed many bugs; see SF bug reports #231864, #461380, #464837, 169 #466885, #469226, #477667, #484419, #487840, #494749, #496505, 170 #547350. Other bugs which we can't test as easily may also 171 have been fixed, especially in the area of build support. 172 173 Release 1.95.2 Fri Jul 27 2001 174 - More changes to make MSVC happy with the build; add a single 175 workspace to support both the library and xmlwf application. 176 - Added a Windows installer for Windows users; includes 177 xmlwf.exe. 178 - Added compile-time constants that can be used to determine the 179 Expat version 180 - Removed a lot of GNU-specific dependencies to aide portability 181 among the various Unix flavors. 182 - Fix the UTF-8 BOM bug. 183 - Cleaned up warning messages for several compilers. 184 - Added the -Wall, -Wstrict-prototypes options for GCC. 185 186 Release 1.95.1 Sun Oct 22 15:11:36 EDT 2000 187 - Changes to get expat to build under Microsoft compiler 188 - Removed all aborts and instead return an UNEXPECTED_STATE error. 189 - Fixed a bug where a stray '%' in an entity value would cause an 190 abort. 191 - Defined XML_SetEndNamespaceDeclHandler. Thanks to Darryl Miles for 192 finding this oversight. 193 - Changed default patterns in lib/Makefile.in to fit non-GNU makes 194 Thanks to robin (a] unrated.net for reporting and providing an 195 account to test on. 196 - The reference had the wrong label for XML_SetStartNamespaceDecl. 197 Reported by an anonymous user. 198 199 Release 1.95.0 Fri Sep 29 2000 200 - XML_ParserCreate_MM 201 Allows you to set a memory management suite to replace the 202 standard malloc,realloc, and free. 203 - XML_SetReturnNSTriplet 204 If you turn this feature on when namespace processing is in 205 effect, then qualified, prefixed element and attribute names 206 are returned as "uri|name|prefix" where '|' is whatever 207 separator character is used in namespace processing. 208 - Merged in features from perl-expat 209 o XML_SetElementDeclHandler 210 o XML_SetAttlistDeclHandler 211 o XML_SetXmlDeclHandler 212 o XML_SetEntityDeclHandler 213 o StartDoctypeDeclHandler takes 3 additional parameters: 214 sysid, pubid, has_internal_subset 215 o Many paired handler setters (like XML_SetElementHandler) 216 now have corresponding individual handler setters 217 o XML_GetInputContext for getting the input context of 218 the current parse position. 219 - Added reference material 220 - Packaged into a distribution that builds a sharable library 221