Changelog for libexpat-devel-2.2.6-177.1.x86_64.rpm :
Thu Feb 7 13:00:00 2019
- Add expat-2.2.6-fix-make-clean.patch
- Allow profile guided optimization again

Thu Jan 3 13:00:00 2019
- Drop docbook2x dependency, the manpages are generated in
the upstream archive and this way we break buildcycle

Tue Sep 11 14:00:00 2018
- Version update to 2.2.6 Sun August 12 2018

* Bug fixes:
- Avoid doing arithmetic with NULL pointers in XML_GetBuffer
- Fix 2.2.5 regression with suspend-resume while parsing
a document like \'\'

* Other changes:
- Autotools: Fix docbook-related configure syntax error
- Autotools: Avoid grep option `-q` for Solaris
- Autotools: Support
./configure DOCBOOK_TO_MAN=\"xmlto man --skip-validation\"
- Autotools: Support DOCBOOK_TO_MAN command which produces
xmlwf.1 rather than XMLWF.1; also covers case insensitive
file systems
- Autotools: Drop -rpath option passed to libtool
- Autotools: Detect and deny SGML docbook2man as ours is XML
- Autotools/CMake: Support command db2x_docbook2man as well
- CMake: Introduce option WARNINGS_AS_ERRORS, defaults to OFF
- CMake: Introduce option MSVC_USE_STATIC_CRT, defaults to OFF
- CMake: Introduce option XML_UNICODE and XML_UNICODE_WCHAR_T,
both defaulting to OFF
- CMake: Prefer check_symbol_exists over check_function_exists
- CMake: Create the same pkg-config file as with GNU Autotools
- CMake: Use GNUInstallDirs module to set proper defaults for
install directories
- CMake: Utilize expat_config.h.cmake for XML_DEV_URANDOM
- Address compiler warnings
- Fix miscellaneous typos

Thu Nov 16 13:00:00 2017
- Expand description of expat-devel.

Thu Nov 16 13:00:00 2017
- Do not generate manpages from docbook
- Temporarily disable profiling due to bug in build system

Wed Nov 8 13:00:00 2017
- Version update to 2.2.5 Tue October 31 2017

* Bug fixes:
- If the parser runs out of memory, make sure its internal
state reflects the memory it actually has, not the memory
it wanted to have.
- The default handler wasn\'t being called when it should for
a SYSTEM or PUBLIC doctype if an entity declaration handler
was registered.
- Fix a case of mistakenly reported parsing success where
XML_StopParser was called from an element handler
- Function XML_ErrorString was returning NULL rather than
introduced with release 2.2.1

* Other changes:
- Add argument -N adding notation declarations
- various compiler-specific fixes
- Improve docbook2x-man detection
- drop expat-docbook.patch

* fixed in 0f5186c7b8e503c669e332d944712de010b265f3
- switch to github for release tarballs and website

Thu Oct 26 14:00:00 2017
- Version update to 2.2.4 Sat August 19 2017

* Bug fixes:
[#115] Fix copying of partial characters for UTF-8 input

* Other changes:
[#109] Fix \"make check\" for non-x86 architectures that default
to unsigned type char (-128..127 rather than 0..255)
[#109] Cover -funsigned-char
Autotools: Introduce --without-xmlwf argument
[#65] Autotools: Replace handwritten Makefile with GNU Automake
[#43] CMake: Auto-detect high quality entropy extractors, add new
option USE_libbsd=ON to use arc4random_buf of libbsd
[#74] CMake: Add -fno-strict-aliasing only where supported
[#114] CMake: Always honor manually set BUILD_
* options
[#114] CMake: Compile man page if docbook2x-man is available, only
[#117] Include file tests/xmltest.log.expected in source tarball
(required for \"make run-xmltest\")
[#111] Fix some typos in documentation
Version info bumped from 7:5:6 to 7:6:6
- Release 2.2.3 Wed August 2 2017

* Bug fixes:
[#85] Fix a dangling pointer issue related to realloc

* Other changes:
[#91] Linux: Allow getrandom to fail if nonblocking pool has not
yet been initialized and read /dev/urandom then, instead.
This is in line with what recent Python does.
[#86] Check that a UTF-16 encoding in an XML declaration has the
right endianness
[#4] #5 #7 Recover correctly when some reallocations fail
Repair \"./configure && make\" for systems without any
provider of high quality entropy
and try reading /dev/urandom on those
Ensure that user-defined character encodings have converter
functions when they are needed
Fix mis-leading description of argument -c in xmlwf.1
Rely on macro HAVE_ARC4RANDOM_BUF (rather than __CloudABI__)
for CloudABI
[#100] Fix use of SIPHASH_MAIN in siphash.h
[#23] Test suite: Fix memory leaks
Version info bumped from 7:4:6 to 7:5:6
- Release 2.2.2 Wed July 12 2017

* Security fixes:
[#43] Protect against compilation without any source of high
quality entropy enabled, e.g. with CMake build system;

* [MOX-006] Fix non-NULL parser parameter validation in XML_Parse;
resulted in NULL dereference, previously;

* Bug fixes:
[#69] Fix improper use of unsigned long long integer literals

* Other changes:
[#73] Start requiring a C99 compiler
[#49] Fix \"==\" Bashism in configure script
[#58] Address compile warnings
[#68] Fix \"./ && ./configure\" for some versions
of Dash for /bin/sh
[#72] CMake: Ease use of Expat in context of a parent project
with multiple CMakeLists.txt files
[#72] CMake: Resolve mistaken executable permissions
[#76] Address compile warning with -DNDEBUG (not recommended!)
[#77] Address compile warning about macro redefinition

* Added patch expat-docbook.patch to compile the man pages with

* Cleaned spec file with spec-cleaner

Sat Oct 7 14:00:00 2017
- Allow building when do_profiling is undefined

Tue Jul 11 14:00:00 2017
- Build with profiling when possible

Tue Jul 4 14:00:00 2017
- Version update to 2.2.1 Sat June 17 2017
- Security fixes:
CVE-2017-9233 / bsc#1047236 -- External entity infinite loop DoS
Commit c4bf96bb51dd2a1b0e185374362ee136fe2c9d7f
- [MOX-002] CVE-2016-9063 / bsc#1047240 -- Detect integer overflow;
(Fixed version of existing downstream patches!)
- ( #539 Fix regression from fix to CVE-2016-0718 cutting off
longer tag names;
[#25] More integer overflow detection (function poolGrow);
- [MOX-002] Detect overflow from len=INT_MAX call to XML_Parse;
- [MOX-005] #30 Use high quality entropy for hash initialization:

* arc4random_buf on BSD, systems with libbsd
(when configured with --with-libbsd), CloudABI

* RtlGenRandom on Windows XP / Server 2003 and later

* getrandom on Linux 3.17+
In a way, that\'s still part of CVE-2016-5300.
- [MOX-005] For the low quality entropy extraction fallback code,
the parser instance address can no longer leak,
- [MOX-003] Prevent use of uninitialised variable; commit
- [MOX-004] a4dc944f37b664a3ca7199c624a98ee37babdb4b
Add missing parameter validation to public API functions
and dedicated error code XML_ERROR_INVALID_ARGUMENT:
- [MOX-006]
* NULL checks; commits

* Negative length (XML_Parse); commit
- [MOX-002] 70db8d2538a10f4c022655d6895e4c3e78692e7f
- [MOX-001] #35 Change hash algorithm to William Ahern\'s version of SipHash
to go further with fixing CVE-2012-0876.
- Bug fixes:
[#32] Fix sharing of hash salt across parsers;
relevant where XML_ExternalEntityParserCreate is called
prior to XML_Parse, in particular (e.g. FBReader)
[#28] xmlwf: Auto-disable use of memory-mapping (and parsing
as a single chunk) for files larger than ~1 GB (2^30 bytes)
rather than failing with error \"out of memory\"
[#3] Fix double free after malloc failure in DTD code; commit
[#17] Fix memory leak on parser error for unbound XML attribute
prefix with new namespaces defined in the same tag;
found by Google\'s OSS-Fuzz; commits
xmlwf on Windows: Add missing calls to CloseHandle
- New features:
[#30] Introduced environment switch EXPAT_ENTROPY_DEBUG=1
for runtime debugging of entropy extraction
Bump version info from 7:2:6 to 7:3:6

Mon Jul 18 14:00:00 2016
- Remove pointless --with-pic (for static only)

Thu Jul 14 14:00:00 2016
- Version update to 2.2.0:

* Fixes bnc#983215 CVE-2012-6702

* Fixes bnc#983216 CVE-2016-5300

* Various cmake and autotools script updates

* Fix detection of utf8 character boundaries
- Remove all patches merged upstream:

* expat-2.1.1-avoid_relying_on_undef_behaviour.patch

* expat-2.1.1-parser_crashes_on_malformed_input.patch

* expat-alloc-size.patch

* expat-visibility.patch

Wed May 18 14:00:00 2016
- add expat-2.1.1-avoid_relying_on_undef_behaviour.patch to avoid
relying on undefined behavior in the original CVE-2015-1283 fix
[bnc#980391], [bnc#983985], [CVE-2016-4472]
- add expat-2.1.1-parser_crashes_on_malformed_input.patch to fix
Expat XML parser that mishandles certain kinds of malformed input
documents [bnc#979441], [CVE-2016-0718]
- use spec-cleaner to clean specfile

Fri Apr 1 14:00:00 2016
- After simplification of expat-visibility.patch, it became
uneffective as no symbols are getting hidden. add
- fvisibility=hidden to CFLAGS again.
- expat-alloc-size.patch: fix braino, realloc()-like functions
should not take __attribute__(malloc)

Wed Mar 23 13:00:00 2016
- Update to version 2.1.1

* Fixes CVE-2015-1283 — Multiple integer overflows in the
XML_GetBuffer function

* Fix potential null pointer dereference

* Symbol XML_SetHashSalt was not exported

* Output of xmlwf -h was incomplete

* Document behavior of calling XML_SetHashSalt with salt 0

* Minor improvements to man page xmlwf(1)
- Simplify expat-visibility.patch, refresh expat-alloc-size.patch
- Drop config-guess-sub-update.patch, fixed upstream.

Sat Jul 11 14:00:00 2015
- Cleanup spec file with spec-cleaner
- Remove old ppc obsoletes/provides

Tue Mar 26 13:00:00 2013
- Added url as source.
Please see

Thu Feb 21 13:00:00 2013
- Sanitize description of expat (replace it with a more current
one from the homepage)

Mon Feb 4 13:00:00 2013
- Update config.guess/sub for aarch64

Wed Jan 23 13:00:00 2013
- fix of fix of [bnc#798644]
- according to upstream changelog:
- Improved ability to build without the configure-generated
expat_config.h header. This is useful for applications
which embed Expat rather than linking in the library.
because I am not exactly sure about implication of this, rather use
- DXML_HAVE_VISIBILITY in CFLAG_VISIBILITY in expat-visibility.patch

Tue Jan 22 13:00:00 2013
- Executing autoreconf requires autoconf BuildRequire

Fri Jan 18 13:00:00 2013
- really hide private Xml
* symbols [bnc#798644]

* modified visibility.patch

Tue Apr 10 14:00:00 2012
- update to 2.1.0
- Bug Fixes:
[#1742315]: Harmful XML_ParserCreateNS suggestion.
[#2895533]: CVE-2012-1147 - Resource leak in readfilemap.c.
[#1785430]: Expat build fails on linux-amd64 with gcc version>=4.1 -O3.
[#1983953], 2517952, 2517962, 2649838:
Build modifications using autoreconf instead of
[#2815947], #2884086: OBJEXT and EXEEXT support while building.
[#1990430]: CVE-2009-3720 - Parser crash with special UTF-8 sequences.
[#2517938]: xmlwf should return non-zero exit status if not well-formed.
[#2517946]: Wrong statement about XMLDecl in xmlwf.1 and xmlwf.sgml.
[#2855609]: Dangling positionPtr after error.
[#2894085]: CVE-2009-3560 - Buffer over-read and crash in big2_toUtf8().
[#2958794]: CVE-2012-1148 - Memory leak in poolGrow.
[#2990652]: CMake support.
[#3010819]: UNEXPECTED_STATE with a trailing \"%\" in entity value.
[#3206497]: Unitialized memory returned from XML_Parse.
[#3287849]: make check fails on mingw-w64.
[#3496608]: CVE-2012-0876 - Hash DOS attack.
- Patches:
[#1749198]: pkg-config support.
[#3010222]: Fix for bug #3010819.
[#3312568]: CMake support.
[#3446384]: Report byte offsets for attr names and values.
- New Features / API changes:

* Added new API member XML_SetHashSalt() that allows setting an
intial value (salt) for hash calculations. This is part of the
fix for bug #3496608 to randomize hash parameters.

* When compiled with XML_ATTR_INFO defined, adds new API member
XML_GetAttributeInfo() that allows retrieving the byte
offsets for attribute names and values (patch #3446384).

* Added CMake build system. See bug #2990652 and patch #3312568.

* Added run-benchmark target to - relies on testdata
module present in the same relative location as in the repository.

Tue Mar 6 13:00:00 2012
- update to 2.1.0 beta

* refreshed expat-visibility.patch

* removed obsolete expat-CVE-2009-3560.patch

* removed obsolete expat-CVE-2009-2625.patch
- hash table DOS attack fix
- accumulated bug fixes and some changes to the build system
- new conditional feature to make byte offsets for attributes
and attribute names available

Sun Feb 12 13:00:00 2012
- Put libraries back to %{_libdir}, /usr merge project

Fri Dec 2 13:00:00 2011
- add automake as buildrequire to avoid implicit dependency

Sun Oct 30 13:00:00 2011
- Hide non public symbols reusing existing win32 API export/imports
- annotate malloc/realloc-like functions with attribute alloc_size
to catch possible misuses in calling code.

Sun Sep 18 14:00:00 2011
- Remove redundant/obsolete tags/sections from specfile
(cf. packaging guidelines)
- Use %_smp_mflags for parallel build
- Add libexpat-devel to baselibs

Fri Feb 25 13:00:00 2011
- fix license (MIT) in spec file

Fri Jan 8 13:00:00 2010
- fix CVE-2009-3560.patch [bnc#566434]

Sun Dec 13 13:00:00 2009
- add baselibs.conf as a source

Fri Dec 4 13:00:00 2009
- fix DoS (CVE-2009-3560.patch) [bnc#558892]

Thu Oct 29 13:00:00 2009
- fix DoS (CVE-2009-2625.patch) [bnc#550664]

Sun Apr 5 14:00:00 2009
- test suite requires gcc-c++ to compile