Script 'mail_helper' called by obssrc Hello community, here is the log from the commit of package expat for openSUSE:Factory checked in at 2026-05-16 19:23:32 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/expat (Old) and /work/SRC/openSUSE:Factory/.expat.new.1966 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "expat" Sat May 16 19:23:32 2026 rev:86 rq:1353228 version:2.8.1 Changes: -------- --- /work/SRC/openSUSE:Factory/expat/expat.changes 2026-03-31 15:21:50.923246982 +0200 +++ /work/SRC/openSUSE:Factory/.expat.new.1966/expat.changes 2026-05-16 19:23:41.111974655 +0200 @@ -1,0 +2,26 @@ +Thu May 14 19:13:23 UTC 2026 - Dirk Müller <[email protected]> + +- update to 2.8.1 + (bsc#1264713, CVE-2026-45186, + bsc#1262263, CVE-2026-41080): + * Fix quadratic runtime from attribute name + collision checks that allowed denial of service attacks + through moderately sized crafted XML input (CWE-407). + Please note that a layer of compression around XML can + significantly reduce the minimum attack payload size. + * CVE-2026-41080 -- The existing hash flooding + protection only used 4 to 8 bytes of entropy for + * a salt, when 16 bytes of salt are supported by the + * implementation of SipHash used by Expat. Now full 16 bytes + * of entropy are used to improve protection against hash + * flooding attacks. + * Existing API function XML_SetHashSalt is now deprecated + * because of its limitations, and its use should be + * considered a vulnerability. Please either use the new API + * function XML_SetHashSalt16Bytes (with known-high-quality + * entropy input only!) instead, or leave the derivation of + * a 16-bytes hash salt from high quality entropy to Expat's + * internal machinery (by *not* calling either of the two + * XML_SetHashSalt* functions). + +------------------------------------------------------------------- Old: ---- expat-2.7.5.tar.xz expat-2.7.5.tar.xz.asc New: ---- expat-2.8.1.tar.xz expat-2.8.1.tar.xz.asc ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ expat.spec ++++++ --- /var/tmp/diff_new_pack.7oMTw7/_old 2026-05-16 19:23:42.460029826 +0200 +++ /var/tmp/diff_new_pack.7oMTw7/_new 2026-05-16 19:23:42.460029826 +0200 @@ -17,10 +17,10 @@ # -%global unversion 2_7_5 +%global unversion 2_8_1 %define sover 1 Name: expat -Version: 2.7.5 +Version: 2.8.1 Release: 0 Summary: XML Parser Toolkit License: MIT ++++++ expat-2.7.5.tar.xz -> expat-2.8.1.tar.xz ++++++ ++++ 5248 lines of diff (skipped)
