CVE-2024-8176 -- Fix crash from chaining a large number of entities caused by stack overflow by resolving use of recursion, for all three uses of entities:
general entities in character data ("<e>&g1;</e>")
general entities in attribute values ("<e k1='&g1;'/>")
parameter entities ("%p1;") Known impact is (reliable and easy) denial of service: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:H/RL:O/RC:C (Base Score: 7.5, Temporal Score: 7.2) Please note that a layer of compression around XML can significantly reduce the minimum attack payload size.
Other changes:
Autotools: Make generated CMake files look for libexpat.@[email protected] on macOS
Autotools: Sync CMake templates with CMake 3.29
CMake: Drop support for CMake <3.13
CMake: Small fuzzing related improvements
docs: Add missing documentation of error code XML_ERROR_NOT_STARTED that was introduced with 2.6.4
docs: Document need for C++11 compiler for use from C++
tests/benchmark: Fix a (harmless) TOCTTOU
Windows: Fix installer target location of file xmlwf.xml for CMake
Windows: Address warning -Wunknown-warning-option about -Wno-pedantic-ms-format from LLVM MinGW
Address Cppcheck warnings
Mass-migrate links from http:// to https://
tests: Increase robustness
tests: Increase test coverage
Fuzzing: Add new fuzzer "xml_lpm_fuzzer" based on Google's libprotobuf-mutator ("LPM")
Fuzzing|CI: Start producing fuzzing code coverage reports
CI: Pass -q -q for LCOV >=2.1 in coverage.sh
CI: Small fuzzing related improvements
CI: Make GitHub Actions build using MSVC on Windows and produce 32bit and 64bit Windows binaries
CI: Get off of about-to-be-removed Ubuntu 20.04
CI: Start uploading to Coverity Scan for static analysis
CI: Stop loading DTD from the internet to address flaky CI
CI: Adapt to breaking changes in Cppcheck
Security fixes:
Other changes:
Document changes since the previous release
Infrastructure: