- Update keyring automatically from keyserver during OBS service run.
- Explicitly use --without-docbook (before it was implicit).
- Include missing files for documentation and examples.
- Add manpage for xmlwf, which is not available in the release tarball.
- Clean the spec file a bit.
- Update to 2.6.0: 
  * Security fixes:
    - CVE-2023-52425 (boo#1219559)  
      -- Fix quadratic runtime issues with big tokens
      that can cause denial of service, in partial where
      dealing with compressed XML input.  Applications
      that parsed a document in one go -- a single call to
      functions XML_Parse or XML_ParseBuffer -- were not affected.
      The smaller the chunks/buffers you use for parsing
      previously, the bigger the problem prior to the fix.
      Backporters should be careful to no omit parts of
      pull request #789 and to include earlier pull request #771,
      in order to not break the fix.
    - CVE-2023-52426 (boo#1219561)
      -- Fix billion laughs attacks for users
      compiling *without* XML_DTD defined (which is not common).
      Users with XML_DTD defined have been protected since
      Expat >=2.4.0 (and that was CVE-2013-0340 back then).
  * Bug fixes:
    - Fix parse-size-dependent "invalid token" error for
      external entities that start with a byte order mark
    - Fix NULL pointer dereference in setContext via
      XML_ExternalEntityParserCreate for compilation with
      XML_DTD undefined
    - Protect against closing entities out of order

• Files Changed
• Browse Source