When will we get expat 2.1.0 in Slackware?
expat has been released version 2.1.0 for more than one year.
But Slackware-current is still using 2.0.1.
When will we get the latest version in official releases?
README: (From http://sourceforge.net/projects/expat/)
This new release of the Expat XML parser contains mostly bug fixes and
patches to the build system. A conditional feature to extract
attribute byte offsets has been added as well.
It is highly recommended to upgrade to this new version as it fixes all
known security vulnerabilities (see below - identified by CVE numbers).
Changes in Expat 2.1.0:
- Bug Fixes:
#1742315: Harmful XML_ParserCreateNS suggestion.
#2895533: CVE-2012-1147 - Resource leak in readfilemap.c.
#1785430: Expat build fails on linux-amd64 with gcc version>=4.1 -O3.
#1983953, 2517952, 2517962, 2649838:
Build modifications using autoreconf instead of buildconf.sh.
#2815947, #2884086: OBJEXT and EXEEXT support while building.
#1990430: CVE-2009-3720 - Parser crash with special UTF-8 sequences.
#2517938: xmlwf should return non-zero exit status if not well-formed.
#2517946: Wrong statement about XMLDecl in xmlwf.1 and xmlwf.sgml.
#2855609: Dangling positionPtr after error.
#2894085: CVE-2009-3560 - Buffer over-read and crash in big2_toUtf8().
#2958794: CVE-2012-1148 - Memory leak in poolGrow.
#2990652: CMake support.
#3010819: UNEXPECTED_STATE with a trailing "%" in entity value.
#3206497: Unitialized memory returned from XML_Parse.
#3287849: make check fails on mingw-w64.
#3496608: CVE-2012-0876 - Hash DOS attack.
#1749198: pkg-config support.
#3010222: Fix for bug #3010819.
#3312568: CMake support.
#3446384: Report byte offsets for attr names and values.
- New Features / API changes:
Added new API member XML_SetHashSalt() that allows setting an intial
value (salt) for hash calculations. This is part of the fix for
bug #3496608 to randomize hash parameters.
When compiled with XML_ATTR_INFO defined, adds new API member
XML_GetAttributeInfo() that allows retrieving the byte
offsets for attribute names and values (patch #3446384).
Added CMake build system.
See bug #2990652 and patch #3312568.
Added run-benchmark target to Makefile.in - relies on testdata module
present in the same relative location as in the repository.
You can have it today, if you install it. :)
I mean in the official releases... such as Slackware 15.x?
Next Slackware will be 14.1, not 15.0
Sorry, I didn't notice that.
Would you please tell me where to get such information?
Caveat emptor: our BDFL may change his mind any time till the release be announced ;)
Thank you very much. And your "Caveat emptor" is so interesting. :)
Back to the topic: if Patrick Volkerding read this thread he will possibly consider it as an upgrade request. If this upgrade doesn't show in a few weeks in Slackware-current's Changelog, you could write to him directly.
I've seen that LQ has been mentioned many times in current Changelog.
So I tried to ask here. Wish I could see the change recently.
Thank you for your advice. ;)
The 2009 CVE's listed are already patched into the slackware expat package. I don't know whether Pat has looked at the 2012 CVE's for expat. Sometimes he decides that the CVE's aren't serious enough to warrant a bump and other times they manage to fly right under his radar until someone shouts "CVEs!!! 2 O'Clock low!" ;)
Time for the Pat Signal... :)
Pat Signal - That's a good one! :)
Packages get updated for the mainstream of Slackware as they are needed, but this also involves a lot of testing to ensure the package works with other stuff that may depend on it without any issues.
Patrick upgrades stuff as needed or if a security issue is raised mostly, but only if compatibility and stability isn't sacrificed too much.
That's why Slackware is such a stable OS.
Can we also have an update on curl/libcurl?
I'll get both curl and expat in -current. The reason we didn't have expat yet was that the sourceforge site was never updated to show that there was a new release... sorry about that. The expat CVEs from 2009 were actually serious ones, and were already patched. The new ones from 2012, not so much. A memory leak (i.e. a bug), and a possible high CPU usage issue. Since the fix for the latter has been noted to possibly cause a regression (or at least a change of program behavior), I don't think it should be backported right away.
Anyway, coming soon in -current.
I sent a request to the 'info' mailing list, but I'm not sure that is the right place, so I will post here.
It would be very nice to have a more recent version of Guile in the next release of Slackware. Guile 2.0 has been out for two years now (-current has v1.8 at present) and has seen some significant improvements (not least of which is a byte code compiler).
I have no problem installing it myself (the stock SlackBuild works fine), but I am reluctant to share scripts with others since it'd require that they first upgrade their interpreter.
|All times are GMT -5. The time now is 09:26 AM.|