Expat 2.4.9 released, includes security fixes
Hello everyone! Expat 2.4.9 has just been released. Most importantly this release fixes CVE-2022-40674. There will be a summary blog post at [1] soon and the change log is at [2] with more details already. If you have patches for Expat that are still required with version 2.4.9, please send them my way. Thank you! Best Sebastian [1] https://blog.hartwork.org/posts/expat-2-4-9-released/ [2] https://github.com/libexpat/libexpat/blob/R_2_4_9/expat/Changes
Expat 2.4.7 released
Hello everyone! Expat 2.4.7 has just been released. Most importantly this release relaxes the fix to CVE-2022-25236 (introduced with release 2.4.5) which some of your you have been waiting for. There will be a summary blog post at [1] soon and the change log is at [2] with more details already. If you have patches for Expat that are still required with version 2.4.7, please send them my way. Thank you! Best Sebastian [1] https://blog.hartwork.org/posts/expat-2-4-7-released/ [2] https://github.com/libexpat/libexpat/blob/R_2_4_7/expat/Changes
Expat 2.4.5 with security fixes released
Hello everyone! Expat 2.4.5 with security fixes has been released. Please note that different people evaluate the impact of security issues differently: 2 of those 5 vulnerability allow proven code execution not within Expat but in (some) applications using Expat, and hence they are "critical" on my personal scale while e.g. Ubuntu considers these two as "low" and "medium" respectively, only. I have contacted Ubuntu security about that earlier today but have yet to hear back. There will be a summary blog post at [1] and the change log is at [2] with more details already. If you have patches for Expat that are still required with version 2.4.5, please send them my way. Thank you! Best Sebastian [1] https://blog.hartwork.org/posts/expat-2-4-5-released/ [2] https://github.com/libexpat/libexpat/blob/R_2_4_5/expat/Changes
Expat 2.4.4 with security fixes released
Hello everyone! Expat 2.4.4 with security fixes has been released. There is a summary blog post [1] and the change log [2] with more details. If you have patches for Expat that are still required with version 2.4.4, please send them my way. Thank you! Best Sebastian [1] https://blog.hartwork.org/posts/expat-2-4-4-released/ [2] https://github.com/libexpat/libexpat/blob/R_2_4_4/expat/Changes
Expat 2.4.3 with security fixes released
Hello everyone! Expat 2.4.3 with security fixes has been released. There is a summary blog post [1] and the change log [2] with more details. If you have patches for Expat that are still required with version 2.4.3, please send them my way. Thank you! Best Sebastian [1] https://blog.hartwork.org/posts/expat-2-4-3-released/ [2] https://github.com/libexpat/libexpat/blob/R_2_4_3/expat/Changes
Re: Expat 2.4.0 (and 2.4.1) with security fixes released
Hi everyone, more than half of you have updated to 2.4.1 already [1], very nice. Please let me know if you need any help with updating or backporting or something like that. Thanks and best Sebastian [1] https://repology.org/project/expat/information On 24.05.21 01:01, Sebastian Pipping wrote: > Hello everyone! > > > Expat 2.4.0 (and 2.4.1) most importantly brings protection against > Billion Laughs Attacks (CVE-2013-0340). There is a blog post [1] and > the change log with more details. > > If you have patches for Expat that are still required with version > 2.4.1, please send them my way. Thank you! > > Best > > > > Sebastian > > > [1] > https://blog.hartwork.org/posts/cve-2013-0340-billion-laughs-fixed-in-expat-2-4-0/ > [2] https://github.com/libexpat/libexpat/blob/R_2_4_1/expat/Changes >
Expat 2.4.0 (and 2.4.1) with security fixes released
Hello everyone! Expat 2.4.0 (and 2.4.1) most importantly brings protection against Billion Laughs Attacks (CVE-2013-0340). There is a blog post [1] and the change log with more details. If you have patches for Expat that are still required with version 2.4.1, please send them my way. Thank you! Best Sebastian [1] https://blog.hartwork.org/posts/cve-2013-0340-billion-laughs-fixed-in-expat-2-4-0/ [2] https://github.com/libexpat/libexpat/blob/R_2_4_1/expat/Changes
Re: Expat 2.3.0 has been released
Hi Marius, On 10.05.21 00:07, Marius Bakke wrote: > Sebastian Pipping skriver: > >> Hello everyone, >> >> >> just a quick heads up that there will be a new release of libexpat with >> security fix in a few weeks. Unless I looked in the wrong place, I >> noticed that your distro has not updated to libexpat 2.3.0 as of today. >> If you ran into any issues with packaging 2.3.0, please let me know now >> so that I can fix things upstream for you and everyone while there is >> still a window before next releases to do so. Thank you! > > Hi Sebastian, > > I have updated expat on our "core-updates" branch, since it entails a > full rebuild: > > > https://git.savannah.gnu.org/cgit/guix.git/commit/?h=core-updates=831c6d84e1bcff4b68dfd0f6e299f2c0bb60d0b8 > > I notice 2.3.0 does not have any ABI changes from 2.2.9. In that case > the security fix/version can be "grafted" in place without rebuilding > the world. So count us ready, we'll test 2.3.0 meanwhile. :-) Thank you! Best Sebastian
Re: Expat 2.3.0 has been released
On 09.05.21 16:07, Leo Famulari wrote: > On Sun, May 09, 2021 at 02:53:09PM +0200, Sebastian Pipping wrote: >> The related soversions are: >> >> 2.2. 9 = 7:11:6 -> libexpatso.1.6.11 (GUIX today) >> 2.2.10 = 7:12:6 -> libexpatso.1.6.12 >> 2.3. 0 = 8: 0:7 -> libexpatso.1.7.0 (GUIX W.I.P.) >> 2.4. 0 = 9: 0:8 -> libexpatso.1.8.0 (upcoming) > > Alright, in this case we'll need to cherry-pick the relevant bug fixes. > > See the manual section Security Updates for this note: > > "Other restrictions may apply: for instance, when adding a graft to a > package providing a shared library, the original shared library and its > replacement must have the same SONAME and be binary-compatible." The soname is the same: it's libexpatso.1 for all of them — no? # objdump -p libexpat.so.1.7.0 | grep SONAME SONAME libexpat.so.1 They are binary-compatible. So I think there may be a misunderstanding here.
Re: Expat 2.3.0 has been released
Hi Maxime, On 09.05.21 11:17, Maxime Devos wrote: > I see Leo Prikler has already sent a patch (48...@debbugs.gnu.org). yes, thanks for you interest in the topic. On 09.05.21 11:12, Maxime Devos wrote: > According to "guix refresh -l", simply updating expat would entail rebuilding > 6031 > packages. This can be avoided is v2.4.0 is binary compatible with v2.2.9. > Is this the case? The short answer is: there is no break of ABI. A longer answer would include that the next release will also be hiding a previously exposed internal symbol by the name "_INTERNAL_trim_to_complete_utf8_characters". I don't consider that an ABI break but we'll probably find someone who does, on a technical level. The related soversions are: 2.2. 9 = 7:11:6 -> libexpatso.1.6.11 (GUIX today) 2.2.10 = 7:12:6 -> libexpatso.1.6.12 2.3. 0 = 8: 0:7 -> libexpatso.1.7.0 (GUIX W.I.P.) 2.4. 0 = 9: 0:8 -> libexpatso.1.8.0 (upcoming) I wish related tool https://verbump.de/ was more widely known. Best Sebastian
Re: Expat 2.3.0 has been released
Hello everyone, just a quick heads up that there will be a new release of libexpat with security fix in a few weeks. Unless I looked in the wrong place, I noticed that your distro has not updated to libexpat 2.3.0 as of today. If you ran into any issues with packaging 2.3.0, please let me know now so that I can fix things upstream for you and everyone while there is still a window before next releases to do so. Thank you! Best Sebastian On 25.03.21 21:27, Sebastian Pipping wrote: > Hello everyone! > > > Expat 2.3.0 — simplified — brings… > > - bugfixes, > > - improvements to both build systems, and > > - improvements to xmlwf usability. > > Please see the changelog at [1] for more details. > > > If you have patches for Expat that are still required > with version 2.3.0, please send them my way. Thank you! > > Best > > > > Sebastian > > > [1] https://github.com/libexpat/libexpat/blob/R_2_3_0/expat/Changes >
Expat 2.3.0 has been released
Hello everyone! Expat 2.3.0 — simplified — brings… - bugfixes, - improvements to both build systems, and - improvements to xmlwf usability. Please see the changelog at [1] for more details. If you have patches for Expat that are still required with version 2.3.0, please send them my way. Thank you! Best Sebastian [1] https://github.com/libexpat/libexpat/blob/R_2_3_0/expat/Changes
Expat 2.2.10 has been released
Hello everyone! Simplified, Expat 2.2.10 comes with bugfixes and with improvements to the build system, mostly the secondary CMake one. The change log with details is up at [1]. If you happen to using CMake in packaging Expat already, please share any pain points and issues with me so that things improve further by the next release. If you happen to have patches for Expat that are still required with 2.2.10, please send them my way. Thanks and best Sebastian [1] https://github.com/libexpat/libexpat/blob/R_2_2_10/expat/Changes
Re: Expat 2.2.7 with security fixes has been released / CVE-2018-20843
Hi Jack and Marius, glad to hear that GUIX saying "no" to 2.2.7 in general was a misunderstanding on my side. Thanks for the clarification! Best Sebastian
Re: Expat 2.2.7 with security fixes has been released / CVE-2018-20843
Hi Jack, On 12.07.19 01:17, Jack Hill wrote: > I'm pleased to let you know that we've applied the fix for > CVE-2018-20843 in GNU Guix as of > 5a836ce38c9c29e9c2bd306007347486b90c5064 [0]. We elected to backport the > patch that fixed the problem instead of upgrading due to a change in the > expat abi with 2.2.7 [1]. > > Many thanks to Marius Bakke for advice and patience while reviewing the > patches. > > [0] > http://git.savannah.gnu.org/cgit/guix.git/commit/?id=5a836ce38c9c29e9c2bd306007347486b90c5064 > > [1] https://issues.guix.gnu.org/issue/36424#2 thanks for the update on that matter! Regarding the removed API symbols, those were never part of the public API so whoever used them needed to have copied prototypes for those into his own code base and be aware that using internal API is asking for trouble — the opposite of something to rely on. They made that choice, it should be their cost. openSuse started using -fvisibility=hidden with their expat package way before Expat itself and they seem fine. I discussed with senior Linux distro developers how hiding those symbols should affect Expat's .so versioning, if it should be an incompatible bump or not. There was no demand for doing an incompatible bump because all related symbols were never exposed by headers. If you don't upgrade to 2.2.7, are you going to backport all bugfixes to 2.2.6 from now on? I maintain a few distro packages myself and I would consider that a big pain point and waste of time. I know of at least to parties how went with modifying a fork in the past and they are not in a good place with their fork regarding effort, bugfix, and security. Please don't add to that list, just please don't :-) Is there anything I can do to make you reconsider? Is there something that I can do upstream in the Expat code base to smooth your path to Expat 2.2.8/2.3.0? Thanks and best Sebastian
Expat 2.2.7 with security fixes has been released / CVE-2018-20843
Hello everyone! Sorry for the noise if you heard about the release of 2.2.7 about a week ago through some other channel and maybe even took action, already! To be quick, there is one DoS fix — for CVE-2018-20843 [1] — and misc build system fixes. The change log with details is up at [2]. If you happen to have patches for Expat that are still required with 2.2.7, please send them my way. Thanks and best Sebastian [1] https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-20843 [2] https://github.com/libexpat/libexpat/blob/R_2_2_7/expat/Changes
Expat 2.2.6 released
Hi everyone! I would like to let you know that Expat 2.2.6 has just been released. Besides improvements to the build system, 2.2.6 is a bugfix release. For more details please check the change log at [1]. If you happen to have patches for Expat that are still required with 2.2.6, please send them my way. Thanks and best Sebastian [1] https://github.com/libexpat/libexpat/blob/R_2_2_6/expat/Changes
Re: Expat in GuixSD, please update
Sorry, no time. On 25.10.2017 16:05, Vincent Legoll wrote: > Hello, > > maybe you can try to submit a patch for review... > > That ought to be fairly easy >
Expat in GuixSD, please update
Hi GuixSD team, from looking at [1] and [2] my impression is that GuixSD is still at version 2.2.2 with Expat, while there is version 2.2.4 with bugfixes upstream. Is there anything blocking an update on your side that needs fixing upstream? Best Sebastian [1] https://repology.org/metapackage/expat/versions [2] https://www.gnu.org/software/guix/packages/e.html
Expat 2.2.1 with security fixes has been released
Hi! I'm contacting you because Expat 2.2.1 -- containing security fixes -- has just been released. For details please check the change log, online at https://github.com/libexpat/libexpat/blob/master/expat/Changes . Best Sebastian