[Bug 1943133] Re: Sync expat 2.4.1-1 (main) from Debian experimental (main)
Rico Tzschichholz
1943133 at bugs.launchpad.net
Fri Sep 10 17:35:42 UTC 2021
** Description changed:
Please sync expat 2.4.1-1 (main) from Debian experimental (main)
Changelog entries since current impish version 2.3.0-1:
expat (2.4.1-1) experimental; urgency=high
- * New upstream release:
- - fix CVE-2013-0340: protect against billion laughs attacks
- (denial-of-service; flavors targeting CPU time or RAM or both,
- leveraging general entities or parameter entities or both).
- * Update libexpat1 symbols.
+ * New upstream release:
+ - fix CVE-2013-0340: protect against billion laughs attacks
+ (denial-of-service; flavors targeting CPU time or RAM or both,
+ leveraging general entities or parameter entities or both).
+ * Update libexpat1 symbols.
- -- Laszlo Boszormenyi (GCS) <gcs at debian.org> Mon, 24 May 2021 10:14:11
+ -- Laszlo Boszormenyi (GCS) <gcs at debian.org> Mon, 24 May 2021 10:14:11
+0200
+
+
+ Release 2.4.1 Sun May 23 2021
+ Bug fixes:
+ #488 #490 Autotools: Fix installed header expat_config.h for multilib
+ systems; regression introduced in 2.4.0 by pull request #486
+
+ Other changes:
+ #491 #492 Version info bumped from 9:0:8 to 9:1:8;
+ see https://verbump.de/ for what these numbers do
+
+
+ Release 2.4.0 Sun May 23 2021
+ Security fixes:
+ #34 #466 #484 CVE-2013-0340/CWE-776 -- Protect against billion laughs attacks
+ (denial-of-service; flavors targeting CPU time or RAM or both,
+ leveraging general entities or parameter entities or both)
+ by tracking and limiting the input amplification factor
+ (<amplification> := (<direct> + <indirect>) / <direct>).
+ By conservative default, amplification up to a factor of 100.0
+ is tolerated and rejection only starts after 8 MiB of output bytes
+ (=<direct> + <indirect>) have been processed.
+ The fix adds the following to the API:
+ - A new error code XML_ERROR_AMPLIFICATION_LIMIT_BREACH to
+ signals this specific condition.
+ - Two new API functions ..
+ - XML_SetBillionLaughsAttackProtectionMaximumAmplification and
+ - XML_SetBillionLaughsAttackProtectionActivationThreshold
+ .. to further tighten billion laughs protection parameters
+ when desired. Please see file "doc/reference.html" for details.
+ If you ever need to increase the defaults for non-attack XML
+ payload, please file a bug report with libexpat.
+ - Two new XML_FEATURE_* constants ..
+ - that can be queried using the XML_GetFeatureList function, and
+ - that are shown in "xmlwf -v" output.
+ - Two new environment variable switches ..
+ - EXPAT_ACCOUNTING_DEBUG=(0|1|2|3) and
+ - EXPAT_ENTITY_DEBUG=(0|1)
+ .. for runtime debugging of accounting and entity processing.
+ Specific behavior of these values may change in the future.
+ - Two new command line arguments "-a FACTOR" and "-b BYTES"
+ for xmlwf to further tighten billion laughs protection
+ parameters when desired.
+ If you ever need to increase the defaults for non-attack XML
+ payload, please file a bug report with libexpat.
+
+ Bug fixes:
+ #332 #470 For (non-default) compilation with -DEXPAT_MIN_SIZE=ON (CMake)
+ or CPPFLAGS=-DXML_MIN_SIZE (GNU Autotools): Fix segfault
+ for UTF-16 payloads containing CDATA sections.
+ #485 #486 Autotools: Fix generated CMake files for non-64bit and
+ non-Linux platforms (e.g. macOS and MinGW in particular)
+ that were introduced with release 2.3.0
+
+ Other changes:
+ #468 #469 xmlwf: Improve help output and the xmlwf man page
+ #463 xmlwf: Improve maintainability through some refactoring
+ #477 xmlwf: Fix man page DocBook validity
+ #458 #459 CMake: Support absolute paths for both CMAKE_INSTALL_LIBDIR
+ and CMAKE_INSTALL_INCLUDEDIR
+ #471 #481 CMake: Add support for standard variable BUILD_SHARED_LIBS
+ #457 Unexpose symbol _INTERNAL_trim_to_complete_utf8_characters
+ #467 Resolve macro HAVE_EXPAT_CONFIG_H
+ #472 Delete unused legacy helper file "conftools/PrintPath"
+ #473 #483 Improve attribution
+ #464 #465 #477 doc/reference.html: Fix XHTML validity
+ #475 #478 doc/reference.html: Replace the 90s look by OK.css
+ #479 Version info bumped from 8:0:7 to 9:0:8
+ due to addition of new symbols and error codes;
+ see https://verbump.de/ for what these numbers do
+
+ Infrastructure:
+ #456 CI: Enable periodic runs
+ #457 CI: Start covering the list of exported symbols
+ #474 CI: Isolate coverage task
+ #476 #482 CI: Adapt to breaking changes in image "ubuntu-18.04"
+ #477 CI: Cover well-formedness and DocBook/XHTML validity
+ of doc/reference.html and doc/xmlwf.xml
** Description changed:
Please sync expat 2.4.1-1 (main) from Debian experimental (main)
+
+ https://github.com/libexpat/libexpat/blob/R_2_4_1/expat/Changes
+
+ CVE-2013-0340
+ https://github.com/libexpat/libexpat/pull/466/files
Changelog entries since current impish version 2.3.0-1:
expat (2.4.1-1) experimental; urgency=high
* New upstream release:
- fix CVE-2013-0340: protect against billion laughs attacks
(denial-of-service; flavors targeting CPU time or RAM or both,
leveraging general entities or parameter entities or both).
* Update libexpat1 symbols.
-- Laszlo Boszormenyi (GCS) <gcs at debian.org> Mon, 24 May 2021 10:14:11
+0200
+ Release 2.4.1 Sun May 23 2021
+ Bug fixes:
+ #488 #490 Autotools: Fix installed header expat_config.h for multilib
+ systems; regression introduced in 2.4.0 by pull request #486
- Release 2.4.1 Sun May 23 2021
- Bug fixes:
- #488 #490 Autotools: Fix installed header expat_config.h for multilib
- systems; regression introduced in 2.4.0 by pull request #486
-
- Other changes:
- #491 #492 Version info bumped from 9:0:8 to 9:1:8;
- see https://verbump.de/ for what these numbers do
-
+ Other changes:
+ #491 #492 Version info bumped from 9:0:8 to 9:1:8;
+ see https://verbump.de/ for what these numbers do
Release 2.4.0 Sun May 23 2021
- Security fixes:
- #34 #466 #484 CVE-2013-0340/CWE-776 -- Protect against billion laughs attacks
- (denial-of-service; flavors targeting CPU time or RAM or both,
- leveraging general entities or parameter entities or both)
- by tracking and limiting the input amplification factor
- (<amplification> := (<direct> + <indirect>) / <direct>).
- By conservative default, amplification up to a factor of 100.0
- is tolerated and rejection only starts after 8 MiB of output bytes
- (=<direct> + <indirect>) have been processed.
- The fix adds the following to the API:
- - A new error code XML_ERROR_AMPLIFICATION_LIMIT_BREACH to
- signals this specific condition.
- - Two new API functions ..
- - XML_SetBillionLaughsAttackProtectionMaximumAmplification and
- - XML_SetBillionLaughsAttackProtectionActivationThreshold
- .. to further tighten billion laughs protection parameters
- when desired. Please see file "doc/reference.html" for details.
- If you ever need to increase the defaults for non-attack XML
- payload, please file a bug report with libexpat.
- - Two new XML_FEATURE_* constants ..
- - that can be queried using the XML_GetFeatureList function, and
- - that are shown in "xmlwf -v" output.
- - Two new environment variable switches ..
- - EXPAT_ACCOUNTING_DEBUG=(0|1|2|3) and
- - EXPAT_ENTITY_DEBUG=(0|1)
- .. for runtime debugging of accounting and entity processing.
- Specific behavior of these values may change in the future.
- - Two new command line arguments "-a FACTOR" and "-b BYTES"
- for xmlwf to further tighten billion laughs protection
- parameters when desired.
- If you ever need to increase the defaults for non-attack XML
- payload, please file a bug report with libexpat.
+ Security fixes:
+ #34 #466 #484 CVE-2013-0340/CWE-776 -- Protect against billion laughs attacks
+ (denial-of-service; flavors targeting CPU time or RAM or both,
+ leveraging general entities or parameter entities or both)
+ by tracking and limiting the input amplification factor
+ (<amplification> := (<direct> + <indirect>) / <direct>).
+ By conservative default, amplification up to a factor of 100.0
+ is tolerated and rejection only starts after 8 MiB of output bytes
+ (=<direct> + <indirect>) have been processed.
+ The fix adds the following to the API:
+ - A new error code XML_ERROR_AMPLIFICATION_LIMIT_BREACH to
+ signals this specific condition.
+ - Two new API functions ..
+ - XML_SetBillionLaughsAttackProtectionMaximumAmplification and
+ - XML_SetBillionLaughsAttackProtectionActivationThreshold
+ .. to further tighten billion laughs protection parameters
+ when desired. Please see file "doc/reference.html" for details.
+ If you ever need to increase the defaults for non-attack XML
+ payload, please file a bug report with libexpat.
+ - Two new XML_FEATURE_* constants ..
+ - that can be queried using the XML_GetFeatureList function, and
+ - that are shown in "xmlwf -v" output.
+ - Two new environment variable switches ..
+ - EXPAT_ACCOUNTING_DEBUG=(0|1|2|3) and
+ - EXPAT_ENTITY_DEBUG=(0|1)
+ .. for runtime debugging of accounting and entity processing.
+ Specific behavior of these values may change in the future.
+ - Two new command line arguments "-a FACTOR" and "-b BYTES"
+ for xmlwf to further tighten billion laughs protection
+ parameters when desired.
+ If you ever need to increase the defaults for non-attack XML
+ payload, please file a bug report with libexpat.
- Bug fixes:
- #332 #470 For (non-default) compilation with -DEXPAT_MIN_SIZE=ON (CMake)
- or CPPFLAGS=-DXML_MIN_SIZE (GNU Autotools): Fix segfault
- for UTF-16 payloads containing CDATA sections.
- #485 #486 Autotools: Fix generated CMake files for non-64bit and
- non-Linux platforms (e.g. macOS and MinGW in particular)
- that were introduced with release 2.3.0
+ Bug fixes:
+ #332 #470 For (non-default) compilation with -DEXPAT_MIN_SIZE=ON (CMake)
+ or CPPFLAGS=-DXML_MIN_SIZE (GNU Autotools): Fix segfault
+ for UTF-16 payloads containing CDATA sections.
+ #485 #486 Autotools: Fix generated CMake files for non-64bit and
+ non-Linux platforms (e.g. macOS and MinGW in particular)
+ that were introduced with release 2.3.0
- Other changes:
- #468 #469 xmlwf: Improve help output and the xmlwf man page
- #463 xmlwf: Improve maintainability through some refactoring
- #477 xmlwf: Fix man page DocBook validity
- #458 #459 CMake: Support absolute paths for both CMAKE_INSTALL_LIBDIR
- and CMAKE_INSTALL_INCLUDEDIR
- #471 #481 CMake: Add support for standard variable BUILD_SHARED_LIBS
- #457 Unexpose symbol _INTERNAL_trim_to_complete_utf8_characters
- #467 Resolve macro HAVE_EXPAT_CONFIG_H
- #472 Delete unused legacy helper file "conftools/PrintPath"
- #473 #483 Improve attribution
- #464 #465 #477 doc/reference.html: Fix XHTML validity
- #475 #478 doc/reference.html: Replace the 90s look by OK.css
- #479 Version info bumped from 8:0:7 to 9:0:8
- due to addition of new symbols and error codes;
- see https://verbump.de/ for what these numbers do
+ Other changes:
+ #468 #469 xmlwf: Improve help output and the xmlwf man page
+ #463 xmlwf: Improve maintainability through some refactoring
+ #477 xmlwf: Fix man page DocBook validity
+ #458 #459 CMake: Support absolute paths for both CMAKE_INSTALL_LIBDIR
+ and CMAKE_INSTALL_INCLUDEDIR
+ #471 #481 CMake: Add support for standard variable BUILD_SHARED_LIBS
+ #457 Unexpose symbol _INTERNAL_trim_to_complete_utf8_characters
+ #467 Resolve macro HAVE_EXPAT_CONFIG_H
+ #472 Delete unused legacy helper file "conftools/PrintPath"
+ #473 #483 Improve attribution
+ #464 #465 #477 doc/reference.html: Fix XHTML validity
+ #475 #478 doc/reference.html: Replace the 90s look by OK.css
+ #479 Version info bumped from 8:0:7 to 9:0:8
+ due to addition of new symbols and error codes;
+ see https://verbump.de/ for what these numbers do
- Infrastructure:
- #456 CI: Enable periodic runs
- #457 CI: Start covering the list of exported symbols
- #474 CI: Isolate coverage task
- #476 #482 CI: Adapt to breaking changes in image "ubuntu-18.04"
- #477 CI: Cover well-formedness and DocBook/XHTML validity
- of doc/reference.html and doc/xmlwf.xml
+ Infrastructure:
+ #456 CI: Enable periodic runs
+ #457 CI: Start covering the list of exported symbols
+ #474 CI: Isolate coverage task
+ #476 #482 CI: Adapt to breaking changes in image "ubuntu-18.04"
+ #477 CI: Cover well-formedness and DocBook/XHTML validity
+ of doc/reference.html and doc/xmlwf.xml
--
You received this bug notification because you are a member of Ubuntu
Sponsors Team, which is subscribed to the bug report.
https://bugs.launchpad.net/bugs/1943133
Title:
Sync expat 2.4.1-1 (main) from Debian experimental (main)
Status in expat package in Ubuntu:
New
Bug description:
Please sync expat 2.4.1-1 (main) from Debian experimental (main)
https://github.com/libexpat/libexpat/blob/R_2_4_1/expat/Changes
CVE-2013-0340
https://github.com/libexpat/libexpat/pull/466/files
Changelog entries since current impish version 2.3.0-1:
expat (2.4.1-1) experimental; urgency=high
* New upstream release:
- fix CVE-2013-0340: protect against billion laughs attacks
(denial-of-service; flavors targeting CPU time or RAM or both,
leveraging general entities or parameter entities or both).
* Update libexpat1 symbols.
-- Laszlo Boszormenyi (GCS) <gcs at debian.org> Mon, 24 May 2021
10:14:11 +0200
Release 2.4.1 Sun May 23 2021
Bug fixes:
#488 #490 Autotools: Fix installed header expat_config.h for multilib
systems; regression introduced in 2.4.0 by pull request #486
Other changes:
#491 #492 Version info bumped from 9:0:8 to 9:1:8;
see https://verbump.de/ for what these numbers do
Release 2.4.0 Sun May 23 2021
Security fixes:
#34 #466 #484 CVE-2013-0340/CWE-776 -- Protect against billion laughs attacks
(denial-of-service; flavors targeting CPU time or RAM or both,
leveraging general entities or parameter entities or both)
by tracking and limiting the input amplification factor
(<amplification> := (<direct> + <indirect>) / <direct>).
By conservative default, amplification up to a factor of 100.0
is tolerated and rejection only starts after 8 MiB of output bytes
(=<direct> + <indirect>) have been processed.
The fix adds the following to the API:
- A new error code XML_ERROR_AMPLIFICATION_LIMIT_BREACH to
signals this specific condition.
- Two new API functions ..
- XML_SetBillionLaughsAttackProtectionMaximumAmplification and
- XML_SetBillionLaughsAttackProtectionActivationThreshold
.. to further tighten billion laughs protection parameters
when desired. Please see file "doc/reference.html" for details.
If you ever need to increase the defaults for non-attack XML
payload, please file a bug report with libexpat.
- Two new XML_FEATURE_* constants ..
- that can be queried using the XML_GetFeatureList function, and
- that are shown in "xmlwf -v" output.
- Two new environment variable switches ..
- EXPAT_ACCOUNTING_DEBUG=(0|1|2|3) and
- EXPAT_ENTITY_DEBUG=(0|1)
.. for runtime debugging of accounting and entity processing.
Specific behavior of these values may change in the future.
- Two new command line arguments "-a FACTOR" and "-b BYTES"
for xmlwf to further tighten billion laughs protection
parameters when desired.
If you ever need to increase the defaults for non-attack XML
payload, please file a bug report with libexpat.
Bug fixes:
#332 #470 For (non-default) compilation with -DEXPAT_MIN_SIZE=ON (CMake)
or CPPFLAGS=-DXML_MIN_SIZE (GNU Autotools): Fix segfault
for UTF-16 payloads containing CDATA sections.
#485 #486 Autotools: Fix generated CMake files for non-64bit and
non-Linux platforms (e.g. macOS and MinGW in particular)
that were introduced with release 2.3.0
Other changes:
#468 #469 xmlwf: Improve help output and the xmlwf man page
#463 xmlwf: Improve maintainability through some refactoring
#477 xmlwf: Fix man page DocBook validity
#458 #459 CMake: Support absolute paths for both CMAKE_INSTALL_LIBDIR
and CMAKE_INSTALL_INCLUDEDIR
#471 #481 CMake: Add support for standard variable BUILD_SHARED_LIBS
#457 Unexpose symbol _INTERNAL_trim_to_complete_utf8_characters
#467 Resolve macro HAVE_EXPAT_CONFIG_H
#472 Delete unused legacy helper file "conftools/PrintPath"
#473 #483 Improve attribution
#464 #465 #477 doc/reference.html: Fix XHTML validity
#475 #478 doc/reference.html: Replace the 90s look by OK.css
#479 Version info bumped from 8:0:7 to 9:0:8
due to addition of new symbols and error codes;
see https://verbump.de/ for what these numbers do
Infrastructure:
#456 CI: Enable periodic runs
#457 CI: Start covering the list of exported symbols
#474 CI: Isolate coverage task
#476 #482 CI: Adapt to breaking changes in image "ubuntu-18.04"
#477 CI: Cover well-formedness and DocBook/XHTML validity
of doc/reference.html and doc/xmlwf.xml
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/expat/+bug/1943133/+subscriptions
More information about the Ubuntu-sponsors
mailing list