expat (2.7.1-2) unstable; urgency=medium
* Move libc6 dependency to pre-dependency on libexpat1 to prevent
dist-upgrade errors with python packages (closes: #1108934).
-- Laszlo Boszormenyi (GCS) <gcs@debian.org> Mon, 14 Jul 2025 08:05:27 +0000
expat (2.7.1-1) unstable; urgency=medium
* New upstream release:
- fixes libxml-parser-perl regression (closes: #1100845).
* Update watch file.
-- Laszlo Boszormenyi (GCS) <gcs@debian.org> Thu, 27 Mar 2025 19:56:41 +0100
expat (2.7.0-1) unstable; urgency=high
* New upstream release:
- fixes CVE-2024-8176: long linear chains of entities crash with stack
overflow.
-- Laszlo Boszormenyi (GCS) <gcs@debian.org> Fri, 14 Mar 2025 20:12:24 +0100
expat (2.6.4-1) unstable; urgency=medium
* New upstream release.
-- Laszlo Boszormenyi (GCS) <gcs@debian.org> Fri, 08 Nov 2024 17:45:00 +0100
expat (2.6.3-2) unstable; urgency=high
* Backport upstream fix for CVE-2024-50602: stop XML_ResumeParser() from
crashing (closes: #1086134).
-- Laszlo Boszormenyi (GCS) <gcs@debian.org> Sun, 27 Oct 2024 17:58:30 +0100
expat (2.6.3-1) unstable; urgency=medium
* New upstream release.
* Update watch file.
* Update Standards-Version to 4.7.0 .
-- Laszlo Boszormenyi (GCS) <gcs@debian.org> Wed, 04 Sep 2024 20:33:01 +0200
expat (2.6.2-2) unstable; urgency=high
* Backport security fix for CVE-2024-45490: reject negative len for
XML_ParseBuffer() (closes: #1080149).
* Backport security fix for CVE-2024-45491: detect integer overflow in
dtdCopy() (closes: #1080150).
* Backport security fix for CVE-2024-45492: detect integer overflow in
function nextScaffoldPart() (closes: #1080152).
-- Laszlo Boszormenyi (GCS) <gcs@debian.org> Sat, 31 Aug 2024 11:48:45 +0200
expat (2.6.2-1) unstable; urgency=medium
* New upstream release.
-- Laszlo Boszormenyi (GCS) <gcs@debian.org> Wed, 13 Mar 2024 21:40:29 +0100
expat (2.6.1-2) unstable; urgency=high
* Backport security fix for CVE-2024-28757: prevent billion laughs attacks
in isolated external parser (closes: #1065868).
-- Laszlo Boszormenyi (GCS) <gcs@debian.org> Sun, 10 Mar 2024 18:24:38 +0100
expat (2.6.1-1) unstable; urgency=medium
* New upstream release.
[ Helmut Grohne <helmut@subdivi.de> ]
* Move files to /usr (DEP17) (closes: #1063553).
-- Laszlo Boszormenyi (GCS) <gcs@debian.org> Wed, 06 Mar 2024 06:55:07 +0100
expat (2.6.0-1) unstable; urgency=high
* New upstream release:
- fixes CVE-2023-52425: fix quadratic runtime issues with big tokens that
can cause denial of service (closes: #1063238),
- fixes CVE-2023-52426: fix billion laughs attacks for users compiling
without XML_DTD defined (which is not common) (closes: #1063240).
-- Laszlo Boszormenyi (GCS) <gcs@debian.org> Tue, 06 Feb 2024 22:00:26 +0100
expat (2.5.0-2) unstable; urgency=medium
[ Samuel Thibault <sthibault@debian.org> ]
* Generalize libbsd-dev build dependency on kfreebsd and hurd ports
(closes: #1035556).
[ Henry N. <henrynmail-debian@yahoo.com> ]
* Fix building with profile nodoc (stage1) (closes: #1037080).
-- Laszlo Boszormenyi (GCS) <gcs@debian.org> Wed, 14 Jun 2023 22:08:48 +0200
expat (2.5.0-1) unstable; urgency=high
* New upstream release:
- fixes CVE-2022-43680: heap use-after-free after overeager destruction of
a shared DTD in XML_ExternalEntityParserCreate() (closes: #1022743).
-- Laszlo Boszormenyi (GCS) <gcs@debian.org> Wed, 26 Oct 2022 15:31:29 +0200
expat (2.4.9-1) unstable; urgency=medium
* New upstream release.
-- Laszlo Boszormenyi (GCS) <gcs@debian.org> Wed, 21 Sep 2022 18:42:18 +0200
expat (2.4.8-2) unstable; urgency=high
* Backport security fix for CVE-2022-40674: heap use-after-free issue in
doContent() (closes: #1019761).
-- Laszlo Boszormenyi (GCS) <gcs@debian.org> Thu, 15 Sep 2022 20:53:15 +0200
expat (2.4.8-1) unstable; urgency=medium
* New upstream release.
-- Laszlo Boszormenyi (GCS) <gcs@debian.org> Tue, 29 Mar 2022 22:01:08 +0200
expat (2.4.7-1) unstable; urgency=medium
* New upstream release:
- relax fix to CVE-2022-25236 with regard to all valid URI characters
(RFC 3986).
-- Laszlo Boszormenyi (GCS) <gcs@debian.org> Sat, 05 Mar 2022 07:11:48 +0100
expat (2.4.6-1) unstable; urgency=medium
* New upstream release.
-- Laszlo Boszormenyi (GCS) <gcs@debian.org> Mon, 21 Feb 2022 21:08:18 +0100
expat (2.4.5-2) unstable; urgency=medium
* Fix build_model regression (closes: #1006162).
-- Laszlo Boszormenyi (GCS) <gcs@debian.org> Sun, 20 Feb 2022 16:26:07 +0100
expat (2.4.5-1) unstable; urgency=high
* New upstream release:
- fixes CVE-2022-25235: certain validation of encoding, such as checks
for whether a UTF-8 character is valid can cause code execution
(closes: #1005894),
- fixes CVE-2022-25236: passing namespace separator characters can cause
code execution (closes: #1005895),
- fixes CVE-2022-25313: an attacker can trigger stack exhaustion in
build_model via a large nesting depth in the DTD element,
- fixes CVE-2022-25314: integer overflow in function copyString() ,
- fixes CVE-2022-25315: integer overflow in function storeRawNames() .
-- Laszlo Boszormenyi (GCS) <gcs@debian.org> Sat, 19 Feb 2022 07:34:25 +0100
expat (2.4.4-1) unstable; urgency=medium
* New upstream release.
-- Laszlo Boszormenyi (GCS) <gcs@debian.org> Tue, 01 Feb 2022 18:51:12 +0100
expat (2.4.3-3) unstable; urgency=high
* Backport security fix for CVE-2022-23990: integer overflow in
doProlog() .
-- Laszlo Boszormenyi (GCS) <gcs@debian.org> Thu, 27 Jan 2022 06:44:50 +0100
expat (2.4.3-2) unstable; urgency=high
* Backport security fix for CVE-2022-23852: XML_GetBuffer() signed integer
overflow.
-- Laszlo Boszormenyi (GCS) <gcs@debian.org> Mon, 24 Jan 2022 18:18:59 +0100
expat (2.4.3-1) unstable; urgency=high
* New upstream release:
- fixes CVE-2021-45960: left shifts by >=29 places resulting in realloc
acting as free, realloc allocating too few bytes, undefined behavior
depending on architecture,
- fixes CVE-2021-46143: integer overflow leading to realloc acting
as free,
- fixes CVE-2022-22822: integer overflow in function addBinding,
- fixes CVE-2022-22823: integer overflow in function build_model,
- fixes CVE-2022-22824: integer overflow in function defineAttribute,
- fixes CVE-2022-22825: integer overflow in function lookup,
- fixes CVE-2022-22826: integer overflow in function nextScaffoldPart,
- fixes CVE-2022-22827: integer overflow in function storeAtts.
-- Laszlo Boszormenyi (GCS) <gcs@debian.org> Sun, 16 Jan 2022 21:48:09 +0100
expat (2.4.2-1) unstable; urgency=medium
* New upstream release.
-- Laszlo Boszormenyi (GCS) <gcs@debian.org> Thu, 23 Dec 2021 19:05:43 +0100
expat (2.4.1-3) unstable; urgency=medium
* Update watch file.
* Update Standards-Version to 4.6.0 .
[ Andrius Merkys <merkys@debian.org> ]
* Fix incorrect path for expat library in expat-noconfig.cmake
(closes: #995907).
* Fix incorrect path for INTERFACE_INCLUDE_DIRECTORIES in expat.cmake
(closes: #996612).
-- Laszlo Boszormenyi (GCS) <gcs@debian.org> Sun, 24 Oct 2021 18:48:18 +0200
expat (2.4.1-2) unstable; urgency=medium
* Upload to Sid.
-- Laszlo Boszormenyi (GCS) <gcs@debian.org> Thu, 09 Sep 2021 21:26:21 +0200
expat (2.4.1-1) experimental; urgency=high
* New upstream release:
- fix CVE-2013-0340: protect against billion laughs attacks
(denial-of-service; flavors targeting CPU time or RAM or both,
leveraging general entities or parameter entities or both).
* Update libexpat1 symbols.
-- Laszlo Boszormenyi (GCS) <gcs@debian.org> Mon, 24 May 2021 10:14:11 +0200
expat (2.3.0-1) experimental; urgency=medium
* New upstream release.
* Update debhelper level to 13 .
* Update Standards-Version to 4.5.1 .
-- Laszlo Boszormenyi (GCS) <gcs@debian.org> Mon, 10 May 2021 19:20:19 +0200
expat (2.2.10-2) unstable; urgency=medium
* Provide stage1 (bootstrap) build profile (closes: #896011).
[ Matthias Klose <doko@ubuntu.com> ]
* Don't build the udeb package when requested (closes: #983324).
-- Laszlo Boszormenyi (GCS) <gcs@debian.org> Tue, 23 Feb 2021 17:54:13 +0100
expat (2.2.10-1) unstable; urgency=medium
* New upstream release.
* Update Standards-Version to 4.5.0 .
-- Laszlo Boszormenyi (GCS) <gcs@debian.org> Sun, 04 Oct 2020 07:39:41 +0200
expat (2.2.9-1) unstable; urgency=medium
* New upstream release.
* Update Standards-Version to 4.4.0 .
-- Laszlo Boszormenyi (GCS) <gcs@debian.org> Sat, 28 Sep 2019 18:49:55 +0000
expat (2.2.7-2) unstable; urgency=high
* Fix CVE-2019-15903: deny internal entities closing the doctype
(closes: #939394).
-- Laszlo Boszormenyi (GCS) <gcs@debian.org> Wed, 04 Sep 2019 18:01:00 +0000
expat (2.2.7-1) unstable; urgency=medium
* New upstream release.
* Update libexpat1 symbols.
-- Laszlo Boszormenyi (GCS) <gcs@debian.org> Sat, 13 Jul 2019 21:46:00 +0000
# Older entries have been removed from this changelog.
# To read the complete changelog use `apt changelog libexpat1-dev`.
Generated by dwww version 1.16 on Tue Dec 16 15:51:40 CET 2025.