aboutsummaryrefslogtreecommitdiff
path: root/contrib/expat/Changes
diff options
context:
space:
mode:
Diffstat (limited to 'contrib/expat/Changes')
-rw-r--r--contrib/expat/Changes81
1 files changed, 79 insertions, 2 deletions
diff --git a/contrib/expat/Changes b/contrib/expat/Changes
index 9d6c64b6a460..092252ed1fa3 100644
--- a/contrib/expat/Changes
+++ b/contrib/expat/Changes
@@ -15,12 +15,16 @@
!! ClusterFuzz findings with few-days-max response times in communication !!
!! in order to (1) have a sound fix ready before the end of a 90 days !!
!! grace period and (2) in a sustainable manner, !!
-!! - helping CPython Expat bindings with supporting Expat's billion laughs !!
+!! - helping CPython Expat bindings with supporting Expat's amplification !!
!! attack protection API (https://github.com/python/cpython/issues/90949): !!
+!! - XML_SetAllocTrackerActivationThreshold !!
+!! - XML_SetAllocTrackerMaximumAmplification !!
!! - XML_SetBillionLaughsAttackProtectionActivationThreshold !!
!! - XML_SetBillionLaughsAttackProtectionMaximumAmplification !!
!! - helping Perl's XML::Parser Expat bindings with supporting Expat's !!
!! security API (https://github.com/cpan-authors/XML-Parser/issues/102): !!
+!! - XML_SetAllocTrackerActivationThreshold !!
+!! - XML_SetAllocTrackerMaximumAmplification !!
!! - XML_SetBillionLaughsAttackProtectionActivationThreshold !!
!! - XML_SetBillionLaughsAttackProtectionMaximumAmplification !!
!! - XML_SetReparseDeferralEnabled !!
@@ -37,6 +41,79 @@
!! THANK YOU! Sebastian Pipping -- Berlin, 2024-03-09 !!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+Release 2.7.2 Tue September 16 2025
+ Security fixes:
+ #1018 #1034 CVE-2025-59375 -- Disallow use of disproportional amounts of
+ dynamic memory from within an Expat parser (e.g. previously
+ a ~250 KiB sized document was able to cause allocation of
+ ~800 MiB from the heap, i.e. an "amplification" of factor
+ ~3,300); once a threshold (that defaults to 64 MiB) is
+ reached, a maximum amplification factor (that defaults to
+ 100.0) is enforced, and violating documents are rejected
+ with an out-of-memory error.
+ There are two new API functions to fine-tune this new
+ behavior:
+ - XML_SetAllocTrackerActivationThreshold
+ - XML_SetAllocTrackerMaximumAmplification .
+ If you ever need to increase these defaults for non-attack
+ XML payload, please file a bug report with libexpat.
+ There is also a new environment variable
+ EXPAT_MALLOC_DEBUG=(0|1|2) to control the verbosity
+ of allocations debugging at runtime, disabled by default.
+ Known impact is (reliable and easy) denial of service:
+ CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:H/RL:O/RC:C
+ (Base Score: 7.5, Temporal Score: 7.2)
+ Please note that a layer of compression around XML can
+ significantly reduce the minimum attack payload size.
+ Distributors intending to backport (or cherry-pick) the
+ fix need to copy 99% of the related pull request, not just
+ the "lib: Implement tracking of dynamic memory allocations"
+ commit, to not end up with a state that literally does both
+ too much and too little at the same time. Appending ".diff"
+ to the pull request URL could be of help.
+
+ Other changes:
+ #1008 #1017 Autotools: Sync CMake templates with CMake 3.31 for macOS
+ #1007 CMake: Drop support for CMake <3.15
+ #1004 CMake: Fix off_t detection for -Werror
+ #1007 CMake|Windows: Fix -DEXPAT_MSVC_STATIC_CRT=ON
+ #1013 Windows: Drop support for Visual Studio <=16.0/2019
+ #1026 xmlwf: Mention supported environment variables in
+ --help output
+ #1024 xmlwf: Fix (internal) help generator
+ #1034 docs: Promote the contract to call function
+ XML_FreeContentModel when registering a custom
+ element declaration handler (via a call to function
+ XML_SetElementDeclHandler)
+ #1027 docs: Add missing <p>..</p> wrap
+ #994 docs: Drop AppVeyor badge
+ #1000 tests: Fix portable_strndup
+ #1036 Drop casts around malloc/free/realloc that C99 does not need
+ #1010 Replace empty for-loops with while loops
+ #1011 Add const with internal XmlInitUnknownEncodingNS
+ #14 #1037 Drop an OpenVMS support leftover
+ #999 #1001 Address more clang-tidy warnings
+ #1030 #1038 Version info bumped from 11:2:10 (libexpat*.so.1.10.2)
+ to 12:0:11 (libexpat*.so.1.11.0); see https://verbump.de/
+ for what these numbers do
+
+ Infrastructure:
+ #1003 CI: Cover compilation on FreeBSD
+ #1009 #1035 CI: Upgrade Clang from 19 to 21
+ #1031 CI: Make calling Cppcheck without --suppress=objectIndex
+ and --suppress=unknownMacro possible
+ #1013 CI|Windows: Get off of deprecated image "windows-2019"
+ #1008 #1017 ..
+ #1023 #1025 CI: Adapt to breaking changes in GitHub Actions
+
+ Special thanks to:
+ Alexander Bluhm
+ Neil Pang
+ Theo Buehler
+ and
+ OSS-Fuzz / ClusterFuzz
+ Perl XML::Parser
+
Release 2.7.1 Thu March 27 2025
Bug fixes:
#980 #989 Restore event pointer behavior from Expat 2.6.4
@@ -54,7 +131,7 @@ Release 2.7.1 Thu March 27 2025
#983 #984 Fix printf format specifiers for 32bit Emscripten
#992 docs: Promote OpenSSF Best Practices self-certification
#978 tests/benchmark: Resolve mistaken double close
- #986 Address compiler warnings
+ #986 Address Frama-C warnings
#990 #993 Version info bumped from 11:1:10 (libexpat*.so.1.10.1)
to 11:2:10 (libexpat*.so.1.10.2); see https://verbump.de/
for what these numbers do
generated by cgit v1.2.3 (git 2.25.1) at 2025-09-26 08:35:43 +0000