- Removed patch 0009-Make-generate-id-deterministic.patch as it's
already fixed upstream.
- Update to version 1.1.38:
* Major changes:
- About 40 memory errors in code paths handling malloc failures
have been fixed.
- While these issues shouldn't impact security, this improves
robustness under memory pressure.
- The result of generate-id() is now deterministic across
multiple transformations fixing many issues with reproducible
builds.
- Most of the test suite has been ported to C.
* Bug fixes:
- Fix memory errors in code handling malloc failures
- imports: Fix import/include cycle check
- xsltlocale: Fix xsltNewLocale on macOS
- Make xsl:sort thread-safe
- Make generate-id() deterministic
* Improvements
- Stop using xmlStringCurrentChar
- attributes.h needs to include xsltInternals.h (David Kilzer)
- transform: Avoid null deref on documents without root node
- numbers: Fix floating point overflows
- date: Fix integer overflow in exsltDateFormatDuration
- numbers: Fix harmless integer sign change
- date: Add more overflow checks to formatting code (David Kilzer)
- date: Fix rounding to make Windows tests pass
- date: Rewrite duration and seconds formatting
OBS-URL: https://build.opensuse.org/request/show/1085767
OBS-URL: https://build.opensuse.org/package/show/devel:libraries:c_c++/libxslt?expand=0&rev=97
- Update to 1.1.34: Oct 30 2019
* Documentation:
- Fix EXSLT web pages, Regenerate web pages
- Fix Git link in news.html
- Minor documentation fixes after recent changes
- Regenerate symbols and API docs
- Regenerate EXSLT website
* Portability:
- Remove stubs when compiling without debugger or profiler
- configure.ac: Invoke PKG_CHECK_MODULES for building shared libraries
- configure.ac: Conditionally determine whether xml2-config should pass
shared libraries or static libraries
- xslt-config.in: Fix broken --prefix=DIR support
- libexslt.pc.in: Do not expose private library dependencies unless invoked
- libxslt.pc.in: Do not expose private library dependencies unless invoked
- Fix -Wformat-overflow warning (GCC 9)
- Stop including ansidecl.h
- Remove WIN32_EXTRA_* variables
- Build without winsock
* Bug Fixes:
- xsl:template without name and match attributes should not be allowed
- Make sure that Python tests exit with error code
- Improve handling of invalid UTF-8 in format-number
- Fix dangling pointer in xsltCopyText
- Fix memory leak in pattern compilation error path
- Fix uninitialized read with UTF-8 grouping chars
- Fix integer overflow in FORMAT_GYEAR
- Fix performance regression with xsl:number
- Backup XPath context node in xsltInitCtxtKey
- Fix unsigned integer overflow in date.c
OBS-URL: https://build.opensuse.org/request/show/750071
OBS-URL: https://build.opensuse.org/package/show/devel:libraries:c_c++/libxslt?expand=0&rev=82
- Security fix: [bsc#1140101, CVE-2019-13118]
* Fix uninitialized read with UTF-8 grouping chars. Read of
uninitialized stack data due to too narrow xsl:number
instruction and an invalid character
* Added libxslt-CVE-2019-13118.patch
- Security fix: [bsc#1140095, CVE-2019-13117]
* Fix uninitialized read of xsl:number token. An xsl number with
certain format strings could lead to a uninitialized read in
xsltNumberFormatInsertNumbers
* Added libxslt-CVE-2019-13117.patch
- Security fix: [bsc#1140101, CVE-2019-13118]
* Fix uninitialized read with UTF-8 grouping chars. Read of
uninitialized stack data due to too narrow xsl:number
instruction and an invalid character
* Added libxslt-CVE-2019-13118.patch
- Security fix: [bsc#1140095, CVE-2019-13117]
* Fix uninitialized read of xsl:number token. An xsl number with
certain format strings could lead to a uninitialized read in
xsltNumberFormatInsertNumbers
* Added libxslt-CVE-2019-13117.patch
OBS-URL: https://build.opensuse.org/request/show/713209
OBS-URL: https://build.opensuse.org/package/show/devel:libraries:c_c++/libxslt?expand=0&rev=73
- Security fix: [bsc#1132160, CVE-2019-11068]
* Bypass of a protection mechanism because callers of xsltCheckRead
and xsltCheckWrite permit access even upon receiving a -1 error
code. xsltCheckRead can return -1 for a crafted URL that is not
actually invalid and is subsequently loaded.
* Added libxslt-CVE-2019-11068.patch
- Security fix: [bsc#1132160, CVE-2019-11068]
* Bypass of a protection mechanism because callers of xsltCheckRead
and xsltCheckWrite permit access even upon receiving a -1 error
code. xsltCheckRead can return -1 for a crafted URL that is not
actually invalid and is subsequently loaded.
* Added libxslt-CVE-2019-11068.patch
OBS-URL: https://build.opensuse.org/request/show/693129
OBS-URL: https://build.opensuse.org/package/show/devel:libraries:c_c++/libxslt?expand=0&rev=71
- Update to version 1.1.30 [bsc#1063934]
* Documentation:
- Misc doc fixes
* Portability:
- Look for libxml2 via pkg-config first
* Bug Fixes:
- Also fix memory hazards in exsltFuncResultElem
- Fix NULL deref in xsltDefaultSortFunction
- Fix memory hazards in exsltFuncFunctionFunction
- Fix memory leaks in EXSLT error paths
- Fix memory leak in str:concat with empty node-set
- Fix memory leaks in error paths
- Switch to xmlUTF8Strsize in numbers.c
- Fix NULL pointer deref in xsltFormatNumberFunction
- Fix UTF-8 check in str:padding
- Fix xmlStrPrintf argument
- Check for overflow in _exsltDateParseGYear
- Fix double to int conversion
- Check for overflow in exsltDateParseDuration
- Change version of xsltMaxVars back to 1.0.24
- Disable xsltCopyTextString optimization for extensions
- Create DOCTYPE for HTML version 5
- Make xsl:decimal-format work with namespaces
- Remove norm:localTime extension function
- Check for integer overflow in xsltAddTextString
- Detect infinite recursion when evaluating function arguments
- Fix memory leak in xsltElementAvailableFunction
- Fix for pattern predicates calling functions
- Fix cmd.exe invocations in Makefile.mingw
- Don't try to install index.sgml
OBS-URL: https://build.opensuse.org/request/show/535190
OBS-URL: https://build.opensuse.org/package/show/devel:libraries:c_c++/libxslt?expand=0&rev=65
