- Update to 1.1.43:
* Major changes:
- The non-standard EXSLT crypto extensions and support for dynamically
loaded plugins are now disabled by default. These features can be
enabled by passing --with-crypto or --with-plugins to configure.
In a future release, these features will be removed.
- Debug output and the debugger are disabled by default and can be
enabled by passing --with-debug or --with-debugger.
* Security:
- [bsc#1239625, CVE-2025-24855] Fix use-after-free of XPath context node
- [bsc#1239637, CVE-2024-55549] Fix UAF related to excluded namespaces
* Bug fixes:
- variables: Fix non-deterministic generated IDs
* libxml2 related cleanup:
- python: Don't use removed libxml2 macro
- tests: Skip test_bad.xsl with libxml2 before 2.13
- python: Don't include nanoftp.h and nanohttp.h
- tests: Avoid namespace warning on Windows
- numbers: Stop using libxml2 XPath axis API
- numbers: Use private copy of xmlCopyCharMultiByte
- documents: Use xmlCtxtParseDocument if available
- tests: Make runtest compile with older libxml2 versions
- utils: Account for libxml2 change
- tests: Make bug-219.xsl compatible with older libxml2
- extensions: always include stdlib.h (Hugo Beauzée-Luyssen)
- extensions: Don't use libxml2's "modules" feature
* Code cleanup:
- numbers: Make static variables const
- variables: Remove debug code
* Portability:
OBS-URL: https://build.opensuse.org/request/show/1253116
OBS-URL: https://build.opensuse.org/package/show/devel:libraries:c_c++/libxslt?expand=0&rev=111
- Removed patch 0009-Make-generate-id-deterministic.patch as it's
already fixed upstream.
- Update to version 1.1.38:
* Major changes:
- About 40 memory errors in code paths handling malloc failures
have been fixed.
- While these issues shouldn't impact security, this improves
robustness under memory pressure.
- The result of generate-id() is now deterministic across
multiple transformations fixing many issues with reproducible
builds.
- Most of the test suite has been ported to C.
* Bug fixes:
- Fix memory errors in code handling malloc failures
- imports: Fix import/include cycle check
- xsltlocale: Fix xsltNewLocale on macOS
- Make xsl:sort thread-safe
- Make generate-id() deterministic
* Improvements
- Stop using xmlStringCurrentChar
- attributes.h needs to include xsltInternals.h (David Kilzer)
- transform: Avoid null deref on documents without root node
- numbers: Fix floating point overflows
- date: Fix integer overflow in exsltDateFormatDuration
- numbers: Fix harmless integer sign change
- date: Add more overflow checks to formatting code (David Kilzer)
- date: Fix rounding to make Windows tests pass
- date: Rewrite duration and seconds formatting
OBS-URL: https://build.opensuse.org/request/show/1085767
OBS-URL: https://build.opensuse.org/package/show/devel:libraries:c_c++/libxslt?expand=0&rev=97
- Update to 1.1.34: Oct 30 2019
* Documentation:
- Fix EXSLT web pages, Regenerate web pages
- Fix Git link in news.html
- Minor documentation fixes after recent changes
- Regenerate symbols and API docs
- Regenerate EXSLT website
* Portability:
- Remove stubs when compiling without debugger or profiler
- configure.ac: Invoke PKG_CHECK_MODULES for building shared libraries
- configure.ac: Conditionally determine whether xml2-config should pass
shared libraries or static libraries
- xslt-config.in: Fix broken --prefix=DIR support
- libexslt.pc.in: Do not expose private library dependencies unless invoked
- libxslt.pc.in: Do not expose private library dependencies unless invoked
- Fix -Wformat-overflow warning (GCC 9)
- Stop including ansidecl.h
- Remove WIN32_EXTRA_* variables
- Build without winsock
* Bug Fixes:
- xsl:template without name and match attributes should not be allowed
- Make sure that Python tests exit with error code
- Improve handling of invalid UTF-8 in format-number
- Fix dangling pointer in xsltCopyText
- Fix memory leak in pattern compilation error path
- Fix uninitialized read with UTF-8 grouping chars
- Fix integer overflow in FORMAT_GYEAR
- Fix performance regression with xsl:number
- Backup XPath context node in xsltInitCtxtKey
- Fix unsigned integer overflow in date.c
OBS-URL: https://build.opensuse.org/request/show/750071
OBS-URL: https://build.opensuse.org/package/show/devel:libraries:c_c++/libxslt?expand=0&rev=82
- Security fix: [bsc#1140101, CVE-2019-13118]
* Fix uninitialized read with UTF-8 grouping chars. Read of
uninitialized stack data due to too narrow xsl:number
instruction and an invalid character
* Added libxslt-CVE-2019-13118.patch
- Security fix: [bsc#1140095, CVE-2019-13117]
* Fix uninitialized read of xsl:number token. An xsl number with
certain format strings could lead to a uninitialized read in
xsltNumberFormatInsertNumbers
* Added libxslt-CVE-2019-13117.patch
- Security fix: [bsc#1140101, CVE-2019-13118]
* Fix uninitialized read with UTF-8 grouping chars. Read of
uninitialized stack data due to too narrow xsl:number
instruction and an invalid character
* Added libxslt-CVE-2019-13118.patch
- Security fix: [bsc#1140095, CVE-2019-13117]
* Fix uninitialized read of xsl:number token. An xsl number with
certain format strings could lead to a uninitialized read in
xsltNumberFormatInsertNumbers
* Added libxslt-CVE-2019-13117.patch
OBS-URL: https://build.opensuse.org/request/show/713209
OBS-URL: https://build.opensuse.org/package/show/devel:libraries:c_c++/libxslt?expand=0&rev=73
- Security fix: [bsc#1132160, CVE-2019-11068]
* Bypass of a protection mechanism because callers of xsltCheckRead
and xsltCheckWrite permit access even upon receiving a -1 error
code. xsltCheckRead can return -1 for a crafted URL that is not
actually invalid and is subsequently loaded.
* Added libxslt-CVE-2019-11068.patch
- Security fix: [bsc#1132160, CVE-2019-11068]
* Bypass of a protection mechanism because callers of xsltCheckRead
and xsltCheckWrite permit access even upon receiving a -1 error
code. xsltCheckRead can return -1 for a crafted URL that is not
actually invalid and is subsequently loaded.
* Added libxslt-CVE-2019-11068.patch
OBS-URL: https://build.opensuse.org/request/show/693129
OBS-URL: https://build.opensuse.org/package/show/devel:libraries:c_c++/libxslt?expand=0&rev=71
