Security fixes:
- CVE-2023-52425: Fix quadratic runtime issues with big tokens that can
cause denial of service, in partial where dealing with compressed XML
input. Applications that parsed a document in one go -- a single call
to functions XML_Parse or XML_ParseBuffer -- were not affected. The
smaller the chunks/buffers you use for parsing previously, the bigger
the problem prior to the fix.
- CVE-2023-52426: Fix billion laughs attacks for users compiling
*without* XML_DTD defined (which is not common). Users with XML_DTD
defined have been protected since Expat >=2.4.0 (and that was
CVE-2013-0340 back then).
https://blog.hartwork.org/posts/expat-2-6-0-released/
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
9dad5e7d7f