Fixes two CVEs:
- CVE-2019-15903 (Fix heap overflow triggered by XML_GetCurrentLineNumber)
- CVE-2018-20843 (Fix extraction of namespace prefixes from XML names)
Signed-off-by: Josef Schlehofer <pepe.schlehofer@gmail.com>
(cherry picked from commit b4af2c689f)
On some systems (Gentoo) configure stage fails because of docbook2man
working with SGML rather than with XML. We don't need xmlwf man pages so
we disable this.
Signed-off-by: Marko Ratkaj <marko.ratkaj@sartura.hr>
(backported from 6e80dd58bb)
CPE ids helps to tracks CVE in packages.
https://cpe.mitre.org/specification/
Thanks to swalker for CPE to package mapping and
keep tracking CVEs.
Acked-by: Jo-Philipp Wich <jo@mein.io>
Signed-off-by: Alexander Couzens <lynxis@fe80.eu>
Update (lib)expat to 2.2.3
Remove poor entropy hack, 2.2.3 uses /dev/urandom in worst case
Signed-off-by: Daniel Engberg <daniel.engberg.lists@pyret.net>
Expat release 2.2.2 requires support for either syscall(SYS_getrandom) which
is available on Linux 3.17 or support for getrandom() which is only available
in glibc 2.25 or later.
Since some of our builders still run on Linux 3.16, we need to forcibly
disable the use of getrandom() for the host builds.
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
Updates expat to 2.2.0
Fixes several CVEs:
CVE-2016-0718
CVE-2016-4472
CVE-2016-5300
CVE-2012-6702
Signed-off-by: Daniel Engberg <daniel.engberg.lists@pyret.net>