Expat 2.6.0 released, includes security fixes

[Sebastian Pipping <sebastian%pipping.org@localhost>]

Hello everyone!


Expat 2.6.0 has just been released.

Of the two denial-of-service security fixes, CVE-2023-52426 (ending in 
"6") is likely of little practical interest to you since it needs 
XML_DTD _un_defined, which is not common in distro packaging.

In case you do run into questions about how to best deal with the new
XML_GE macro, defining it to 1 is default, recommended, and backwards 
compatible.  That switch was added to give parties that were previously 
avoiding XML_DTD for reduced code size a choice between adding the 
billion laughs protection layer or — the opposite direction — cutting 
even support for general entities away (which is not suitable for the 
average XML processor using Expat and not XML but a subset of XML).  The 
new switch is expected to work out of the box just the way that you 
would want it in distro packaging.

There is a summary blog post at [1] and the change log is at
[2] with more details.

If you have patches for Expat that are still required with version
2.6.0, please send them my way so we can get them included with a future 
release.  Thank you!

Best



Sebastian


[1] https://blog.hartwork.org/posts/expat-2-6-0-released/
[2] https://github.com/libexpat/libexpat/blob/R_2_6_0/expat/Changes