Bug 1963400 - expat-2.4.1 is available
Summary: expat-2.4.1 is available
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Fedora
Classification: Fedora
Component: expat
Version: rawhide
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: ---
Assignee: Joe Orton
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2021-05-22 23:29 UTC by Upstream Release Monitoring
Modified: 2021-07-01 02:17 UTC (History)
3 users (show)

Fixed In Version: expat-2.4.1-1.fc35 expat-2.4.1-1.fc34 expat-2.4.1-1.fc33
Doc Type: ---
Doc Text:
Clone Of:
Environment:
Last Closed: 2021-06-01 10:15:55 UTC
Type: ---
Embargoed:


Attachments (Terms of Use)

Description Upstream Release Monitoring 2021-05-22 23:29:40 UTC
Latest upstream release: 2.4.0
Current version/release in rawhide: 2.3.0-1.fc35
URL: https://libexpat.github.io/

Please consult the package updates policy before you issue an update to a stable branch: https://docs.fedoraproject.org/en-US/fesco/Updates_Policy/


More information about the service that created this bug can be found at: https://fedoraproject.org/wiki/Upstream_release_monitoring


Please keep in mind that with any upstream change, there may also be packaging changes that need to be made. Specifically, please remember that it is your responsibility to review the new version to ensure that the licensing is still correct and that no non-free or legally problematic items have been added upstream.


Based on the information from anitya: https://release-monitoring.org/project/770/

Comment 1 Upstream Release Monitoring 2021-05-22 23:29:44 UTC
Skipping the scratch build because an SRPM could not be built: ['rpmbuild', '-D', '_sourcedir .', '-D', '_topdir .', '-bs', '/var/tmp/thn-lxdiaaz3/expat.spec'] returned 1: b'error: line 5: unclosed macro or bad line continuation\n'

Comment 2 Upstream Release Monitoring 2021-05-23 17:25:48 UTC
Latest upstream release: 2.4.1
Current version/release in rawhide: 2.3.0-1.fc35
URL: https://libexpat.github.io/

Please consult the package updates policy before you issue an update to a stable branch: https://docs.fedoraproject.org/en-US/fesco/Updates_Policy/


More information about the service that created this bug can be found at: https://fedoraproject.org/wiki/Upstream_release_monitoring


Please keep in mind that with any upstream change, there may also be packaging changes that need to be made. Specifically, please remember that it is your responsibility to review the new version to ensure that the licensing is still correct and that no non-free or legally problematic items have been added upstream.


Based on the information from anitya: https://release-monitoring.org/project/770/

Comment 3 Upstream Release Monitoring 2021-05-23 17:25:50 UTC
Skipping the scratch build because an SRPM could not be built: ['rpmbuild', '-D', '_sourcedir .', '-D', '_topdir .', '-bs', '/var/tmp/thn-ilrbdgcb/expat.spec'] returned 1: b'error: line 5: unclosed macro or bad line continuation\n'

Comment 4 Xose Vazquez Perez 2021-05-23 17:55:27 UTC
(In reply to Upstream Release Monitoring from comment #2)

> Latest upstream release: 2.4.1
> Current version/release in rawhide: 2.3.0-1.fc35
> URL: https://libexpat.github.io/
> Based on the information from anitya: https://release-monitoring.org/project/770/

2.4.0, among other, fixes security bugs:

Security fixes:  #34 #466 #484  CVE-2013-0340/CWE-776
 Protect against billion laughs attacks
 (denial-of-service; flavors targeting CPU time or RAM or both,
 leveraging general entities or parameter entities or both)
 by tracking and limiting the input amplification factor
 (<amplification> := (<direct> + <indirect>) / <direct>).
 By conservative default, amplification up to a factor of 100.0
 is tolerated and rejection only starts after 8 MiB of output bytes
 (=<direct> + <indirect>) have been processed.
 The fix adds the following to the API:
 - A new error code XML_ERROR_AMPLIFICATION_LIMIT_BREACH to
   signals this specific condition.
 - Two new API functions ..
   - XML_SetBillionLaughsAttackProtectionMaximumAmplification and
   - XML_SetBillionLaughsAttackProtectionActivationThreshold
   .. to further tighten billion laughs protection parameters
   when desired.  Please see file "doc/reference.html" for details.
   If you ever need to increase the defaults for non-attack XML
   payload, please file a bug report with libexpat.
 - Two new XML_FEATURE_* constants ..
   - that can be queried using the XML_GetFeatureList function, and
   - that are shown in "xmlwf -v" output.
 - Two new environment variable switches ..
   - EXPAT_ACCOUNTING_DEBUG=(0|1|2|3) and
   - EXPAT_ENTITY_DEBUG=(0|1)
   .. for runtime debugging of accounting and entity processing.
   Specific behavior of these values may change in the future.
 - Two new command line arguments "-a FACTOR" and "-b BYTES"
   for xmlwf to further tighten billion laughs protection
   parameters when desired.
   If you ever need to increase the defaults for non-attack XML
   payload, please file a bug report with libexpat.

Comment 5 Fedora Update System 2021-06-01 10:12:59 UTC
FEDORA-2021-ff00e58672 has been submitted as an update to Fedora 35. https://bodhi.fedoraproject.org/updates/FEDORA-2021-ff00e58672

Comment 6 Fedora Update System 2021-06-01 10:15:55 UTC
FEDORA-2021-ff00e58672 has been pushed to the Fedora 35 stable repository.
If problem still persists, please make note of it in this bug report.

Comment 7 Fedora Update System 2021-06-09 10:51:24 UTC
FEDORA-2021-523ee0a81e has been submitted as an update to Fedora 34. https://bodhi.fedoraproject.org/updates/FEDORA-2021-523ee0a81e

Comment 8 Fedora Update System 2021-06-10 01:20:11 UTC
FEDORA-2021-523ee0a81e has been pushed to the Fedora 34 testing repository.
Soon you'll be able to install the update with the following command:
`sudo dnf upgrade --enablerepo=updates-testing --advisory=FEDORA-2021-523ee0a81e`
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2021-523ee0a81e

See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.

Comment 9 Fedora Update System 2021-06-15 01:05:07 UTC
FEDORA-2021-523ee0a81e has been pushed to the Fedora 34 stable repository.
If problem still persists, please make note of it in this bug report.

Comment 10 Fedora Update System 2021-06-15 06:51:23 UTC
FEDORA-2021-b84d81929a has been submitted as an update to Fedora 33. https://bodhi.fedoraproject.org/updates/FEDORA-2021-b84d81929a

Comment 11 Fedora Update System 2021-06-16 01:44:21 UTC
FEDORA-2021-b84d81929a has been pushed to the Fedora 33 testing repository.
Soon you'll be able to install the update with the following command:
`sudo dnf upgrade --enablerepo=updates-testing --advisory=FEDORA-2021-b84d81929a`
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2021-b84d81929a

See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.

Comment 12 Fedora Update System 2021-07-01 02:17:20 UTC
FEDORA-2021-b84d81929a has been pushed to the Fedora 33 stable repository.
If problem still persists, please make note of it in this bug report.


Note You need to log in before you can comment on or make changes to this bug.