CVE-2022-25313, CVE-2022-25314, and CVE-2022-25315. Relevant for
OpenBSD are security fixes#558#559#560#561#562 and bug fixes
#566. No library bump necessary.
OK tb@
and CVE-2022-22822 to CVE-2022-22827. Relevant for OpenBSD are
security fixes#531#534#532#538#539 and other changes #527#513#514#502#503. No library bump necessary.
OK millert@
expat uses arc4random_buf(3) as first option if available. Drop
our local patch. Behavior stays the same. Updates will be easier.
Environment variable EXPAT_ENTROPY_DEBUG can be used to check that
arc4random_buf() is really used.
OK sthen@
OpenBSD are security fixes#34#466#484 and other changes #467#473#483. A new error number in a public header requires a major
library bump. Two functions have been added to API.
OK tb@
#438 and other change #443. A new error constant has been added
to a public header file. According to guenther@ this is an ABI
break that requires a major bump.
OK tb@; tested by matthieu@
(or XML_GetCurrentColumnNumber), and deny internal entities closing
the doctype; CVE-2019-15903
fixed in commit c20b758c332d9a13afbbb276d30db1d183a85d43
OK tb@
- Avoid doing arithmetic with NULL pointers in XML_GetBuffer
- Fix 2.2.5 regression with suspend-resume while parsing
a document like '<root/>'
- Address compiler warnings
- Fix miscellaneous typos
on i386 and allows to compile the C++ test. Upstream dropped the
ULL in an insufficient attempt to make the siphash code C89 compatible.
Their fix will be more complicated.
No binary change.
exported symbols to the indended API. We do not need a Symbols.map
anymore. Major library bump is necessary as some internal functions
vanish from the ABI.
Discussed upstream with Sebastian Pipping; ports bulk build ajacoutot@;
OK deraadt@
- CVE-2017-9233 CVE-2016-9063 CVE-2016-5300 CVE-2016-4472 CVE-2016-0718
CVE-2015-2716 CVE-2015-1283 CVE-2012-6702 CVE-2012-0876 have been
addressed. Not all of them affect OpenBSD as we had fixes before.
- Upstream uses arc4random_buf(3) now. Delete all code for other
entropy sources to make sure to compile the correct one. Our
library already used arc4random(3) before.
- The overflow fixes in rev 1.11 and 1.12 of lib/xmlparse.c
have been commited upstream in a different way. Use the upstream
code to make maintenance easier.
- Although it should be ABI compatible, there is a new global
symbol align_limit_to_full_utf8_characters. As it is in
lib/internal.h, add a Symbols.map to restrict the export. Do not
bump the shared library version.
- Use the internal expat's siphash.h.
ports build ajacoutot@; move ahead deraadt@
members to 64bit types. Assign new syscall numbers for (almost
all) the syscalls that involve the affected types, including anything
with time_t, timeval, itimerval, timespec, rusage, dirent, stat,
or kevent arguments. Add a d_off member to struct dirent and replace
getdirentries() with getdents(), thus immensely simplifying and
accelerating telldir/seekdir. Build perl with -DBIG_TIME.
Bump the major on every single base library: the compat bits included
here are only good enough to make the transition; the T32 compat
option will be burned as soon as we've reached the new world are
are happy with the snapshots for all architectures.
DANGER: ABI incompatibility. Updating to this kernel requires extra
work or you won't be able to login: install a snapshot instead.
Much assistance in fixing userland issues from deraadt@ and tedu@
and build assistance from todd@ and otto@