---
- branch: MAIN
  date: Wed Feb  7 13:19:26 UTC 2024
  files:
  - new: '1.55'
    old: '1.54'
    path: pkgsrc/textproc/expat/Makefile
    pathrev: pkgsrc/textproc/expat/Makefile@1.55
    type: modified
  - new: '1.23'
    old: '1.22'
    path: pkgsrc/textproc/expat/builtin.mk
    pathrev: pkgsrc/textproc/expat/builtin.mk@1.23
    type: modified
  - new: '1.48'
    old: '1.47'
    path: pkgsrc/textproc/expat/distinfo
    pathrev: pkgsrc/textproc/expat/distinfo@1.48
    type: modified
  id: 20240207T131926Z.9d50b36198f29c5e2b9d111f3840c1989016aaf0
  log: |
    expat: updated to 2.6.0

    Release 2.6.0 Tue February 6 2024
        Security fixes:
      * *  CVE-2023-52425 -- Fix quadratic runtime issues with big tokens
                   that can cause denial of service, in partial where
                   dealing with compressed XML input.  Applications
                   that parsed a document in one go -- a single call to
                   functions XML_Parse or XML_ParseBuffer -- were not affected.
                   The smaller the chunks/buffers you use for parsing
                   previously, the bigger the problem prior to the fix.
                   Backporters should be careful to no omit parts of
                   pull request * and to include earlier pull request *,
                   in order to not break the fix.
           *  CVE-2023-52426 -- Fix billion laughs attacks for users
                   compiling *without* XML_DTD defined (which is not common).
                   Users with XML_DTD defined have been protected since
                   Expat >=2.4.0 (and that was CVE-2013-0340 back then).

        Bug fixes:
            *  Fix parse-size-dependent "invalid token" error for
                    external entities that start with a byte order mark
            *  Fix NULL pointer dereference in setContext via
                    XML_ExternalEntityParserCreate for compilation with
                    XML_DTD undefined
       * *  Protect against closing entities out of order

        Other changes:
            *  Improve support for arc4random/arc4random_buf
       * *  Improve buffer growth in XML_GetBuffer and XML_Parse
       * *  xmlwf: Support --help and --version
       * *  xmlwf: Support custom buffer size for XML_GetBuffer and read
            *  xmlwf: Improve language and URL clickability in help output
            *  examples: Add new example "element_declarations.c"
            *  Be stricter about macro XML_CONTEXT_BYTES at build time
            *  Make inclusion to expat_config.h consistent
       * *  Autotools: configure.ac: Support --disable-maintainer-mode
    * * ..
      * * *  Autotools: Sync CMake templates with CMake 3.26
            *  Autotools: Make installation of shipped man page doc/xmlwf.1
                    independent of docbook2man availability
            *  Autotools|CMake: Add missing -DXML_STATIC to pkg-config file
                    section "Cflags.private" in order to fix compilation
                    against static libexpat using pkg-config on Windows
       * *  Autotools|CMake: Require a C99 compiler
                    (a de-facto requirement already since Expat 2.2.2 of 2017)
            *  Autotools|CMake: Fix PACKAGE_BUGREPORT variable
       * *  Autotools|CMake: Make test suite require a C++11 compiler
            *  CMake: Require CMake >=3.5.0
            *  CMake: Lowercase off_t and size_t to help a bug in Meson
            *  CMake: Sort xmlwf sources alphabetically
            *  CMake|Windows: Fix generation of DLL file version info
            *  CMake: Build tests/benchmark/benchmark.c as well for
                    a build with -DEXPAT_BUILD_TESTS=ON
       * *  docs: Document the importance of isFinal + adjust tests
                    accordingly
            *  docs: Improve use of "NULL" and "null"
            *  docs: Be specific about version of XML (XML 1.0r4)
                    and version of C (C99); (XML 1.0r5 will need a sponsor.)
            *  docs: reference.html: Promote function XML_ParseBuffer more
            *  docs: reference.html: Add HTML anchors to XML_* macros
            *  docs: reference.html: Upgrade to OK.css 1.2.0
       * *  docs: Fix typos
            *  docs|CI: Use HTTPS URLs instead of HTTP at various places
    * * ..
    * * ..
       * *  Address compiler warnings
       * *  Address clang-tidy warnings
       * *  Version info bumped from 9:10:8 (libexpat*.so.1.8.10)
                    to 10:0:9 (libexpat*.so.1.9.0); see https://verbump.de/
                    for what these numbers do

        Infrastructure:
       * *  docs: Document security policy in file SECURITY.md
            *  docs: Improve parse buffer variables in-code documentation
    * * ..
    * * ..
      * * *  Refactor coverage and conformance tests
       * *  Refactor debug level variables to unsigned long
            *  Improve handling of empty environment variable value
                    in function getDebugLevel (without visible user effect)
    * * ..
    * * ..
       * *  tests: Improve test coverage with regard to parse chunk size
      * * *  Fuzzing: Improve fuzzing coverage
       * *  Fuzzing|CI: Start running OSS-Fuzz fuzzing regression tests
       * *  CI: Resolve some Travis CI leftovers
            *  CI: Be robust towards absence of Git tags
       * *  CI: Set permissions to "contents: read" for security
            *  CI: Pin all GitHub Actions to specific commits for security
            *  CI: Reject spelling errors using codespell
            *  CI: Enforce clang-tidy clean code
    * * ..
       * *  CI: Upgrade Clang from 15 to 18
            *  CI: Start using Clang's Control Flow Integrity sanitizer
      * * *  CI: Adapt to breaking changes in GitHub Actions Ubuntu images
            *  CI: Adapt to breaking changes in Clang/LLVM Debian packaging
            *  CI: Adapt to breaking changes in codespell
            *  CI: Adapt to breaking changes in Cppcheck
  module: pkgsrc
  subject: 'CVS commit: pkgsrc/textproc/expat'
  unixtime: '1707311966'
  user: adam