- Update from version 2.12.3 to 2.13.3 - Update of rootfile - CVE fixes in 2.13.3, 2.12.7, 2.12.5 - Changelog 2.13.3 ### Security - [CVE-2024-40896] Fix XXE protection in downstream code ### Regressions - autotools: Use AC_CHECK_DECL to check for getentropy - xinclude: Fix fallback for text includes - io: Don't call getcwd in xmlParserGetDirectory - io: Fix return value of xmlFileRead - parser: Fix error return of xmlParseBalancedChunkMemory ### Improvements - xinclude: Set error handler when parsing text - Undeprecate xmlKeepBlanksDefault 2.13.2 ### Regressions - tree: Fix handling of empty strings in xmlNodeParseContent - valid: Restore ID lookup - parser: Reenable ctxt->directory - uri: Handle filesystem paths in xmlBuildRelativeURISafe - encoding: Make xmlFindCharEncodingHandler return UTF-8 handler - encoding: Fix encoding lookup with xmlOpenCharEncodingHandler - include: Define ATTRIBUTE_UNUSED for clang - uri: Fix xmlBuildURI with NULL base ### Improvements - uri: Enable Windows paths on Cygwin - tests: Clarify licence of test/intsubset2.xml 2.13.1 ### Regressions - parser: Selectively reenable reading from "-" - reader: Fix xmlTextReaderReadString - xinclude: Set XPath context doc - xinclude: Load included documents with XML_PARSE_DTDLOAD - include: Don't redefine ATTRIBUTE_UNUSED - include: Readd circular dependency between tree.h and parser.h - xinclude: Add missing include (Jan Alexander Steffens (heftig)) - win32, msvc: fix missing linking against Bcrypt.lib (Miklos Vajna) - xinclude: Don't raise error on empty nodeset - parser: Make failure to load main document a warning - tree: Fix freeing entities via xmlFreeNode - parser: Pass global object to sax->setDocumentLocator ### Improvements - io: Fix resetting xmlParserInputBufferCreateFilename hook ### Documentation - Fix typo in NEWS (--with-html -> --with-http) (Ryan Carsten Schmidt) - doc: Don't mention xmlNewInputURL 2.13.0 ### Major changes Most of the core code should now report malloc failures reliably. Some API functions were extended with versions that report malloc failures. New API functions for error handling were added: - xmlCtxtSetErrorHandler - xmlXPathSetErrorHandler - xmlXIncludeSetErrorHandler This makes it possible to register per-context error handlers without resorting to global handlers. A few error messages were improved and consolidated. Please update downstream test suites accordingly. A new parser option XML_PARSE_NO_XXE can be used to disable loading of external entities or DTDs. This is most useful in connection with XML_PARSE_NOENT. Support for HTTP POST was removed. Support for zlib, liblzma and HTTP is now disabled by default and has to be enabled by passing --with-zlib, --with-lzma or --with-http to configure. In legacy mode (--with-legacy) these options are enabled by default as before. Support for FTP will be removed in the next release. Support for the range and point extensions of the xpointer() scheme will be removed in the next release. The rest of the XPointer implementation won't be affected. The xpointer() scheme will behave like the xpath1() scheme. Several more legacy symbols were deprecated. Users of the old "SAX1" API functions are encouraged to upgrade to the new "SAX2" API, available since version 2.6.0 from 2003. Some deprecated global variables were made const: - htmlDefaultSAXHandler - oldXMLWDcompatibility - xmlDefaultSAXHandler - xmlDefaultSAXLocator - xmlParserDebugEntities ### Deprecations and removals - threads: Deprecate remaining ThrDef functions - unicode: Deprecate most xmlUCSIs* functions - memory: Remove memory debugging - tree: Deprecate xmlRegisterNodeDefault - tree: Deprecate xmlSetCompressMode - html: Deprecate htmlHandleOmittedElem - valid: Deprecate internal validation functions - valid: Deprecate old DTD serialization API - nanohttp: Deprecate public API - Remove VMS support - Remove Trio ### Bug fixes - parser: Fix base URI of internal parameter entities - tree: Handle predefined entities in xmlBufGetEntityRefContent - schemas: Allow unlimited length decimals, integers etc. (Tomáš Ženčák) - reader: Fix preservation of attributes - parser: Always decode entities in namespace URIs - relaxng: Fix tree corruption in xmlRelaxNGParseNameClass (Seiya Nakata) - schemas: Fix ADD_ANNOTATION - tree: Fix tree iteration in xmlDOMWrapRemoveNode - tree: Declare namespace on clone in xmlDOMWrapCloneNode - tree: Fix xmlAddSibling with last sibling - tree: Fix xmlDocSetRootElement with multiple top-level elements - catalog: Fetch XML catalog before dumping - html: Don't close fd in htmlCtxtReadFd ### Improvements - parser: Fix "Truncated multi-byte sequence" error - Add missing _cplusplus processing clause (Sadaf Ebrahimi) - parser: Rework handling of undeclared entities - SAX2: Warn if URI resolution failed - parser: Don't report error on invalid URI - xmllint: Clean up option handling - xmllint: Rework parsing - parser: Don't create undeclared entity refs in substitution mode - Make some globals const - reader: Make xmlTextReaderReadString non-recursive - reader: Rework xmlTextReaderRead{Inner,Outer}Xml - Remove redundant size check (Niels Dossche) - Remove redundant NULL check on cur (Niels Dossche) - Remove always-false check old == cur (Niels Dossche) - Remove redundant NULL check on cur (Niels Dossche) - tree: Don't return empty localname in xmlSplitQName{2,3} - xinclude: Don't try to fix base of non-elements - tree: Don't coalesce text nodes in xmlAdd{Prev,Next}Sibling - SAX2: Optimize appending children - tree: Align xmlAddChild with other node insertion functions - html: Use binary search in htmlEntityValueLookup - io: Allocate output buffer with XML_BUFFER_ALLOC_IO - encoding: Don't shrink input too early in xmlCharEncOutput - tree: Tighten source doc check in xmlDOMWrapAdoptNode - tree: Check destParent->doc in xmlDOMWrapCloneNode - tree: Refactor text node updates - tree: Refactor node insertion - tree: Refactor element creation and parsing of attribute values - tree: Simplify xmlNodeGetContent, xmlBufGetNodeContent - buf: Don't use default buffer size for small strings - string: Fix xmlStrncatNew(NULL, "") - entities: Don't allow null name in xmlNewEntity - html: Fix quadratic behavior in htmlNodeDump - tree: Rewrite xmlSetTreeDoc - valid: Rework xmlAddID - tree: Remove unused node types - tree: Make namespace comparison more consistent - tree: Don't allow NULL name in xmlSetNsProp - tree: Rework xmlNodeListGetString - tree: Rework xmlTextMerge - tree: Rework xmlNodeSetName - tree: Simplify xmlAddChild with text parent - tree: Disallow setting content of entity reference nodes - tree: Rework xmlReconciliateNs - schemas: fix spurious warning about truncated snprintf output (Benjamin Gilbert) - xmlschemastypes: Remove unreachable if statement (Maks Mishin) - relaxng: Remove useless if statement (Maks Mishin) - tree: Check for integer overflow in xmlStringGetNodeList - http: Improve error message for HTTPS redirects - catalog: Remove Windows hack - save: Move DTD serialization code to xmlsave.c - parser: Report fatal error if document entity couldn't be loaded - xpath: Fix return of empty node-set in xmlXPathNodeCollectAndTest - SAX2: Limit entity URI length to 2000 bytes - parser: Account for full size of non-well-formed entities - parser: Pop inputs if parsing DTD failed - parser: Fix quadratic behavior when copying entities - writer: Implement xmlTextWriterClose - parser: Avoid duplicate namespace errors - parser: Add XML_PARSE_NO_XXE parser option - parser: Make xmlParseContent more useful - error: Make xmlFormatError public - encoding: Check whether encoding handlers support input/output - SAX2: Enforce size limit in xmlSAX2Text with XML_PARSE_HUGE - parser: Lower maximum entity nesting depth - parser: Set depth limit to 2048 with XML_PARSE_HUGE - parser: Implement xmlCtxtSetOptions - parser: Always prefer option members over bitmask - parser: Don't modify SAX2 handler if XML_PARSE_SAX1 is set - parser: Rework parsing of attribute and entity values - save: Output U+FFFD replacement characters - parser: Simplify entity size accounting - parser: Avoid unwanted expansion of parameter entities - parser: Always copy content from entity to target - parser: Simplify control flow in xmlParseReference - parser: Remove xmlSetEntityReferenceFunc feature - parser: Push general entity input streams on the stack - parser: Move progressive flag into input struct - parser: Fix in-parameter-entity and in-external-dtd checks - xpath: Rewrite substring-before and substring-after - xinclude: Only set xml:base if necessary - xinclude: Allow empty nodesets - parser: Rework general entity parsing - io: Fix close error handling - io: Fix read/write error handling - io: More refactoring and unescaping fixes - io: Move some code from xmlIO.c to parserInternals.c - uri: Clean up special parsing modes - xinclude: Rework xml:base fixup - parser: Also set document properties when push parsing - include: Move non-generated parts from xmlversion.h.in - io: Remove support for HTTP POST - dict: Move local RNG state to global state - dict: Get random seed from system PRNG - io: Don't use "-" to read from stdin - io: Rework initialization - io: Consolidate error messages - xzlib: Fix harmless unsigned integer overflow - io: Always use unbuffered input - io: Fix detection of compressed streams - io: Pass error codes from xmlFileOpenReal to xmlNewInputFromFile - io: Rework default callbacks - error: Stop printing some errors by default - xpath: Don't free nodes of XSLT result value trees - valid: Fix handling of enumerations - parser: Allow recovery in xmlParseInNodeContext - encoding: Support ASCII in xmlLookupCharEncodingHandler - include: Remove useless 'const' from function arguments - Avoid EDG -Wignored-qualifiers warnings on wrong 'const *' to '* const' conversions (makise-homura) - Avoid EDG deprecation warnings for LCC compiler (makise-homura) - Avoid EDG -Woverflow warnings on truncating conversions by manually truncating operand (makise-homura) - Avoid EDG -Wtype-limits warnings on unsigned comparisons with zero by conversion from unsigned int to int (makise-homura) - Avoid using no_sanitize attribute on EDG even if compiler shows as GCC (makise-homura) ### Build systems - meson: convert boolean options to feature option (Rosen Penev) - meson: Pass LIBXML_STATIC in dependency (Andrew Potter) - meson: fix compilation with local binaries (Rosen Penev) - meson: don't use dl dependency on old meson (Rosen Penev) - meson: fix usage as a subproject (Rosen Penev) - autotools: Fix pthread detection on FreeBSD - build: Remove --with-fexceptions configuration option - autotools: Remove --with-coverage configuration option - build: Disable HTTP support by default - Stop defining _REENTRANT - doc: Don't install example code - meson: Initial commit (Vincent Torri) - build: Disable support for compression libraries by default - Set LIBXML2_FOUND if it has been properly configured (Michele Bianchi) - Makefile.am: omit $(top_builddir) from DEPS and LDADDS (Mike Dalessio) ### Test suite - runtest: Work around broken EUC-JP support in musl iconv - runtest: Check for IBM-1141 encoding handler - fuzz: Add xmllint fuzzer - fuzz: Add fuzzer for XML reader API - fuzz: New tree API fuzzer - tests: Remove testOOM - Don't let gentest.py cast types to 'const somethingPtr' to avoid -Wignored-qualifiers (makise-homura) 2.12.8 ### Regressions - parser: Fix performance regression when parsing namespaces 2.12.7 ### Security - [CVE-2024-34459] Fix buffer overread with `xmllint --htmlout` ### Regressions - xmllint: Fix --pedantic option - save: Handle invalid parent pointers in xhtmlNodeDumpOutput 2.12.6 ### Regressions - parser: Fix detection of duplicate attributes in XML namespace - xmlreader: Fix xmlTextReaderConstEncoding - html: Fix htmlCreatePushParserCtxt with encoding - xmllint: Return error code if XPath returns empty nodeset 2.12.5 ### Security - [CVE-2024-25062] xmlreader: Don't expand XIncludes when backtracking ### Regressions - parser: Fix crash in xmlParseInNodeContext with HTML documents 2.12.4 ### Regressions - parser: Fix regression parsing standalone declarations - autotools: Readd --with-xptr-locs configuration option - parser: Fix build --without-output - parser: Don't grow or shrink pull parser memory buffers - io: Fix memory lifetime issue with input buffers
Signed-off-by: Adolf Belka adolf.belka@ipfire.org --- config/rootfiles/common/libxml2 | 72 +-------------------------------- lfs/libxml2 | 16 ++++---- 2 files changed, 9 insertions(+), 79 deletions(-)
diff --git a/config/rootfiles/common/libxml2 b/config/rootfiles/common/libxml2 index 61e001ce7..0eadee10c 100644 --- a/config/rootfiles/common/libxml2 +++ b/config/rootfiles/common/libxml2 @@ -54,80 +54,10 @@ #usr/lib/libxml2.la #usr/lib/libxml2.so usr/lib/libxml2.so.2 -usr/lib/libxml2.so.2.12.3 +usr/lib/libxml2.so.2.13.3 #usr/lib/pkgconfig/libxml-2.0.pc #usr/share/aclocal/libxml.m4 #usr/share/doc/libxml2 -#usr/share/doc/libxml2/examples -#usr/share/doc/libxml2/examples/index.html -#usr/share/doc/libxml2/examples/io1.c -#usr/share/doc/libxml2/examples/io2.c -#usr/share/doc/libxml2/examples/parse1.c -#usr/share/doc/libxml2/examples/parse2.c -#usr/share/doc/libxml2/examples/parse3.c -#usr/share/doc/libxml2/examples/parse4.c -#usr/share/doc/libxml2/examples/reader1.c -#usr/share/doc/libxml2/examples/reader2.c -#usr/share/doc/libxml2/examples/reader3.c -#usr/share/doc/libxml2/examples/reader4.c -#usr/share/doc/libxml2/examples/testWriter.c -#usr/share/doc/libxml2/examples/tree1.c -#usr/share/doc/libxml2/examples/tree2.c -#usr/share/doc/libxml2/examples/xmllint.c -#usr/share/doc/libxml2/examples/xpath1.c -#usr/share/doc/libxml2/examples/xpath2.c -#usr/share/doc/libxml2/tutorial -#usr/share/doc/libxml2/tutorial/apa.html -#usr/share/doc/libxml2/tutorial/apb.html -#usr/share/doc/libxml2/tutorial/apc.html -#usr/share/doc/libxml2/tutorial/apd.html -#usr/share/doc/libxml2/tutorial/ape.html -#usr/share/doc/libxml2/tutorial/apf.html -#usr/share/doc/libxml2/tutorial/apg.html -#usr/share/doc/libxml2/tutorial/aph.html -#usr/share/doc/libxml2/tutorial/api.html -#usr/share/doc/libxml2/tutorial/ar01s02.html -#usr/share/doc/libxml2/tutorial/ar01s03.html -#usr/share/doc/libxml2/tutorial/ar01s04.html -#usr/share/doc/libxml2/tutorial/ar01s05.html -#usr/share/doc/libxml2/tutorial/ar01s06.html -#usr/share/doc/libxml2/tutorial/ar01s07.html -#usr/share/doc/libxml2/tutorial/ar01s08.html -#usr/share/doc/libxml2/tutorial/ar01s09.html -#usr/share/doc/libxml2/tutorial/images -#usr/share/doc/libxml2/tutorial/images/blank.png -#usr/share/doc/libxml2/tutorial/images/callouts -#usr/share/doc/libxml2/tutorial/images/callouts/1.png -#usr/share/doc/libxml2/tutorial/images/callouts/10.png -#usr/share/doc/libxml2/tutorial/images/callouts/2.png -#usr/share/doc/libxml2/tutorial/images/callouts/3.png -#usr/share/doc/libxml2/tutorial/images/callouts/4.png -#usr/share/doc/libxml2/tutorial/images/callouts/5.png -#usr/share/doc/libxml2/tutorial/images/callouts/6.png -#usr/share/doc/libxml2/tutorial/images/callouts/7.png -#usr/share/doc/libxml2/tutorial/images/callouts/8.png -#usr/share/doc/libxml2/tutorial/images/callouts/9.png -#usr/share/doc/libxml2/tutorial/images/caution.png -#usr/share/doc/libxml2/tutorial/images/draft.png -#usr/share/doc/libxml2/tutorial/images/home.png -#usr/share/doc/libxml2/tutorial/images/important.png -#usr/share/doc/libxml2/tutorial/images/next.png -#usr/share/doc/libxml2/tutorial/images/note.png -#usr/share/doc/libxml2/tutorial/images/prev.png -#usr/share/doc/libxml2/tutorial/images/tip.png -#usr/share/doc/libxml2/tutorial/images/toc-blank.png -#usr/share/doc/libxml2/tutorial/images/toc-minus.png -#usr/share/doc/libxml2/tutorial/images/toc-plus.png -#usr/share/doc/libxml2/tutorial/images/up.png -#usr/share/doc/libxml2/tutorial/images/warning.png -#usr/share/doc/libxml2/tutorial/includeaddattribute.c -#usr/share/doc/libxml2/tutorial/includeaddkeyword.c -#usr/share/doc/libxml2/tutorial/includeconvert.c -#usr/share/doc/libxml2/tutorial/includegetattribute.c -#usr/share/doc/libxml2/tutorial/includekeyword.c -#usr/share/doc/libxml2/tutorial/includexpath.c -#usr/share/doc/libxml2/tutorial/index.html -#usr/share/doc/libxml2/tutorial/ix01.html #usr/share/doc/libxml2/xmlcatalog.html #usr/share/doc/libxml2/xmllint.html #usr/share/gtk-doc/html/libxml2 diff --git a/lfs/libxml2 b/lfs/libxml2 index b9298a7ff..9c98ef0b5 100644 --- a/lfs/libxml2 +++ b/lfs/libxml2 @@ -1,7 +1,7 @@ ############################################################################### # # # IPFire.org - A linux based firewall # -# Copyright (C) 2007-2023 IPFire Team info@ipfire.org # +# Copyright (C) 2007-2024 IPFire Team info@ipfire.org # # # # This program is free software: you can redistribute it and/or modify # # it under the terms of the GNU General Public License as published by # @@ -24,7 +24,7 @@
include Config
-VER = 2.12.3 +VER = 2.13.3
THISAPP = libxml2-$(VER) DL_FILE = $(THISAPP).tar.xz @@ -42,7 +42,7 @@ objects = $(DL_FILE)
$(DL_FILE) = $(DL_FROM)/$(DL_FILE)
-$(DL_FILE)_BLAKE2 = 12a7c25d2a13d839aac918268b0948a9bd3c352bc29dd09bb975a9b4ff99d299a0e157b1a90f01bdce8ddc36ede9a6834b0dc26635ac775a41bd28d9b2ad7cff +$(DL_FILE)_BLAKE2 = 446dce96b7386961877812b4f7bd804b236ca676ba5738c4b058b8b6ac610ae2e8eb1871884bfe7ca9130088820312b8fdf6878c8ea85d3c4d4d63f8591816f6
install : $(TARGET)
@@ -73,11 +73,11 @@ $(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects)) @$(PREBUILD) @rm -rf $(DIR_APP) && cd $(DIR_SRC) && tar axf $(DIR_DL)/$(DL_FILE) $(UPDATE_AUTOMAKE) - cd $(DIR_APP) && ./configure \ - --prefix=/usr \ - --disable-static \ - --with-history \ - --without-python + cd $(DIR_APP) && ./configure \ + --prefix=/usr \ + --disable-static \ + --with-history \ + --without-python cd $(DIR_APP) && make $(MAKETUNING) cd $(DIR_APP) && make install @rm -rf $(DIR_APP)