pkgsrc-Changes archive
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]
CVS commit: [pkgsrc-2026Q1] pkgsrc/textproc/expat
Module Name: pkgsrc
Committed By: bsiegert
Date: Mon May 18 07:53:40 UTC 2026
Modified Files:
pkgsrc/textproc/expat [pkgsrc-2026Q1]: Makefile distinfo
Log Message:
Pullup ticket #7115 - requested by taca
textproc/expat: security fix
Revisions pulled up:
- textproc/expat/Makefile 1.64-1.65
- textproc/expat/distinfo 1.58-1.59
---
Module Name: pkgsrc
Committed By: wiz
Date: Sun Apr 26 19:45:59 UTC 2026
Modified Files:
pkgsrc/textproc/expat: Makefile distinfo
Log Message:
Release 2.8.0 Fri April 24 2026
Security fixes:
#47 #1183 CVE-2026-41080 -- The existing hash flooding protecti=
on
(based on SipHash) only used 4 to 8 bytes of entrop=
y for
a salt, when 16 bytes of salt are supported by the
implementation of SipHash used by Expat. Now full 1=
6 bytes
of entropy are used to improve protection against h=
ash
flooding attacks.
Existing API function XML_SetHashSalt is now depr=
ecated
because of its limitations, and its use should be
considered a vulnerability. Please either use the n=
ew API
function XML_SetHashSalt16Bytes (with known-high-qu=
ality
entropy input only!) instead, or leave the derivati=
on of
a 16-bytes hash salt from high quality entropy to E=
xpat's
internal machinery (by *not* calling either of the =
two
XML_SetHashSalt* functions).
Bug fixes:
#1188 Avoid propagating /dev/urandom file descriptor to chi=
ld
processes
#1193 Fix interpretation of `errno` after randomization cal=
ls
#1195 Avoid assuming uint8_t is a character type
Other changes:
#1180 #1199 Add support for `getentropy(3)` as a source of entrop=
y;
this helps with protecting against hash flooding at=
tacks,
in particular with WASI SDK (where none of the othe=
r
entropy sources supported by libexpat are available=
).
#1200 Autotools: Add `--without-arc4random` and
`--without-arc4random-buf`
#1200 Autotools: Make `./configure` output report on availa=
ble
high quality entropy sources
#1173 Autotools|macOS: Sync CMake templates with CMake 4.3.=
0
#1201 Autotools|CMake: Improve checks for `arc4random` and
`arc4random_buf` e.g. with modern glibc
#1201 CMake: Report on availability of functions `arc4rando=
m` and
`arc4random_buf`
#1201 CMake: Mark entropy related build switches as advance=
d
#1189 ..
#1203 #1204 Extract new files from entropy extraction code
#1194 Stop duplicating C tests 1:1 as C++ ("runtests_cxx")
#1202 Fix a comment typo in expat_external.h
#1187 Fix grammar in compile error message
#1192 examples: Build warning-free with -Wwrite-strings
#1171 tests: Address harmless warning from Coverity
#1170 #1176 Sync file headers
#1190 #1206 Version info bumped from 12:3:11 (libexpat*.so.1.11.3=
)
to 13:0:12 (libexpat*.so.1.12.0); see https://verbu=
mp.de/
for what these numbers do
Infrastructure:
#1166 #1167 ..
#1172 #1175 ..
#1178 #1179 ..
#1185 #1205 CI: Make Perl XML::Parser integration tests run again=
st
both version 2.47 and the latest release 2.58
#1169 CI: Adapt to breaking changes regarding Inno Setup
#1173 CI: Adapt to breaking changes regarding CMake
#1174 CI: Include public corpus of fuzzer `xml_lpm_fuzzer` =
with
regression testing
#1181 #1182 CI: Bump WASI SDK from 30 to 32
Special thanks to:
J=E9r=F4me Duval
Matthew Fernandez
---
Module Name: pkgsrc
Committed By: adam
Date: Mon May 11 15:51:26 UTC 2026
Modified Files:
pkgsrc/textproc/expat: Makefile distinfo
Log Message:
expat: updated to 2.8.1
Release 2.8.1 Sun May 10 2026
Security fixes:
CVE-2026-45186 -- Fix quadratic runtime from attribute name
collision checks that allowed denial of service attacks
through moderately sized crafted XML input (CWE-407).
Please note that a layer of compression around XML can
significantly reduce the minimum attack payload size.
Other changes:
Drop more casts related to `void *` that C99 does not need
xmlwf: Streamline use of `mmap`
Version info bumped from 13:0:12 (libexpat*.so.1.12.0)
to 13:1:12 (libexpat*.so.1.12.1); see https://verbump.de/
for what these numbers do
To generate a diff of this commit:
cvs rdiff -u -r1.63 -r1.63.2.1 pkgsrc/textproc/expat/Makefile
cvs rdiff -u -r1.57 -r1.57.2.1 pkgsrc/textproc/expat/distinfo
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
Modified files:
Index: pkgsrc/textproc/expat/Makefile
diff -u pkgsrc/textproc/expat/Makefile:1.63 pkgsrc/textproc/expat/Makefile:1.63.2.1
--- pkgsrc/textproc/expat/Makefile:1.63 Tue Mar 17 21:20:10 2026
+++ pkgsrc/textproc/expat/Makefile Mon May 18 07:53:40 2026
@@ -1,6 +1,6 @@
-# $NetBSD: Makefile,v 1.63 2026/03/17 21:20:10 wiz Exp $
+# $NetBSD: Makefile,v 1.63.2.1 2026/05/18 07:53:40 bsiegert Exp $
-DISTNAME= expat-2.7.5
+DISTNAME= expat-2.8.1
CATEGORIES= textproc
MASTER_SITES= ${MASTER_SITE_GITHUB:=libexpat/}
GITHUB_PROJECT= libexpat
Index: pkgsrc/textproc/expat/distinfo
diff -u pkgsrc/textproc/expat/distinfo:1.57 pkgsrc/textproc/expat/distinfo:1.57.2.1
--- pkgsrc/textproc/expat/distinfo:1.57 Tue Mar 17 21:20:10 2026
+++ pkgsrc/textproc/expat/distinfo Mon May 18 07:53:40 2026
@@ -1,5 +1,5 @@
-$NetBSD: distinfo,v 1.57 2026/03/17 21:20:10 wiz Exp $
+$NetBSD: distinfo,v 1.57.2.1 2026/05/18 07:53:40 bsiegert Exp $
-BLAKE2s (expat-2.7.5.tar.gz) = 679fbf8744d8f0356232a728f366827ba118bf15af91c918bc5fc9b08fb9aadb
-SHA512 (expat-2.7.5.tar.gz) = fefcc386800ac242e6c7408caf3667264534d7ab269cd3768478bfb0d558e1a32adca03e1822269447f1609bedc5bdbbde47dd9a3824bfd080274a8d691942a3
-Size (expat-2.7.5.tar.gz) = 805627 bytes
+BLAKE2s (expat-2.8.1.tar.gz) = f4b7e78afa9094b38f09bc2381ed97c776158b2722f54065f66d6a8a47863956
+SHA512 (expat-2.8.1.tar.gz) = 2b17c1210d7267bdd0bd98d3e093279c56487efec1f2ae725bbc87b834c3f7aa789791ddb89ee324d1a823dc4e65b2f0d1555afb95cc06d64d75821e565dfc8c
+Size (expat-2.8.1.tar.gz) = 812969 bytes
Home |
Main Index |
Thread Index |
Old Index