Dominique Leuenberger
d02e2bf821
- update to 2.8.1
(bsc#1264713, CVE-2026-45186,
bsc#1262263, CVE-2026-41080):
* Fix quadratic runtime from attribute name
collision checks that allowed denial of service attacks
through moderately sized crafted XML input (CWE-407).
Please note that a layer of compression around XML can
significantly reduce the minimum attack payload size.
* CVE-2026-41080 -- The existing hash flooding
protection only used 4 to 8 bytes of entropy for
* a salt, when 16 bytes of salt are supported by the
* implementation of SipHash used by Expat. Now full 16 bytes
* of entropy are used to improve protection against hash
* flooding attacks.
* Existing API function XML_SetHashSalt is now deprecated
* because of its limitations, and its use should be
* considered a vulnerability. Please either use the new API
* function XML_SetHashSalt16Bytes (with known-high-quality
* entropy input only!) instead, or leave the derivation of
* a 16-bytes hash salt from high quality entropy to Expat's
* internal machinery (by *not* calling either of the two
* XML_SetHashSalt* functions).
- version update to 2.6.4
- Update to 2.6.3:
for what these numbers do
* Added libxml2-fix-xmlwf.1-handling.patch
- Update to 2.6.0:
- CVE-2023-52425 (boo#1219559, bsc#1221563)
- CVE-2022-43680 -- Fix heap use-after-free after overeager
OBS-URL: https://build.opensuse.org/request/show/1353228
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/expat?expand=0&rev=86