Skip to main content

Expat 2.2.8 with security fixes has been released

libexpat is a fast streaming XML parser. Alongside libxml2, Expat is one of the most widely used software libre XML parsers written in C. It is cross-platform and licensed under the MIT license.

Expat 2.2.8 has been released yesterday. This release fixes a security issue — a heap buffer over-read known as CVE-2019-15903 reported by Joonun Jang resulting in Denial of Service —, starts using the rand_s function on Windows and MinGW (ending the previous LoadLibrary hack), includes non-security bugfixes, many build system fixes and improvements, improvements to xmlwf usability, and more.

For more details regarding the latest release, please check out the changelog.

If you maintain Expat packaging or a bundled copy of Expat or a pinned version of Expat somewhere, please update to 2.2.8. Thank you!

Sebastian Pipping

Expat 2.2.7 with security fixes has been released

libexpat is a fast streaming XML parser written in C. Alongside libxml2, Expat is one of the most widely used software libre XML parsers written in C. It is cross-platform and licensed under the MIT license.

Expat 2.2.7 has been released a few days ago. Besides improvements to the build system, 2.2.7 fixes security issue CVE-2018-20843 that allowed use of specially crafted XML to cause Denial of Service. The issue was found during fuzzing of LibreOffice by the Chromium team and reported by Caolán McNamara.

With regard to Denial of Service protection, libexpat still needs a partner to sponsor additional development workforce — my own time remaining free but limited — to prevent Denial of Service through Billion laughs attacks by default, for the masses, with sane defaults, and with knobs for tuning. If you operate software accepting XML from the internet in an enterprise and aim at 99.9%-and-beyond availability per year, please get in touch.

For more details regarding the latest release, please check out the changelog.

If you maintain Expat packaging and/or a bundled copy of Expat and/or a pinned version of Expat somewhere, please update to 2.2.7. Thank you!

Sebastian Pipping

uriparser 0.9.3 released

A few minutes ago uriparser 0.9.3 has been released. 0.9.3 is a fix-up to 0.9.2. Combined, releases 0.9.2 and 0.9.3 feature:

  • Migration from GNU autotools to CMake

  • Link fixes for use of uriparser from C++ code

  • Library visibility fixes / introduction of -fvisibility=hidden

For more details please check the change log.

Last but not least: If you maintain uriparser packaging or a bundled version of uriparser somewhere, please update to 0.9.3. Thank you!

(German) Sebastians Müsli-Schokokuchen 1.0

Hintergrund

Dieses Rezept basiert auf einem DDR-Rezept für Marmorkuchen — (der Sekundärquelle nach) aus dem Buch Kochkunst. Lukullisches von A bis Z — und der Beobachtung, dass bei Marmorkuchen die Schoko-Hälfe die spannende ist: Warum also nicht die langweilige Hälfte weglassen und die spannende Hälfte verdoppeln?

Außerdem mag ich Haferflocken und ersetze deshalb — bezogen auf die Vorlage — 100g Mehl durch 200g Haferflocken.

Zutaten

  • 250 g Margarine
  • 250 g weißer Zucker
  • 400 g Weizenmehl
  • 200 g grobe Haferflocken
  • 80 g Back-Kakao
  • 4 Eier
  • 250 ml Milch
  • 1 Päckchen Vanillinzucker
  • 1 Päckchen Backpulver
  • Abgeriebene Schale von 1/2 Bio(!)-Zitrone
  • 2 Esslöffel weißer Rum

Zubereitung

  • Margarine sahnig rühren, nach und nach beide Sorten Zucker, Eier, geriebene Zitronenschale und Rum hineinrühren.
  • Das mit Backpulver gemischte Mehl portionsweise abwechselnd mit Milch hinzufügen und verrühren, dann die Haferflocken, dann den Kakao.
  • Eine gefettete Kastenform mit Teig befüllen.
  • Bei Mittelhitze backen, z. B. 100 Minuten bei Stufe 5 von 8 im Gas-Backofen ohne Vorheizen.
  • Fertig.

80% time at 80% money — what's in for employers?

With the exception of a few weeks, I have been working 4 days a week, 32 hours, 80% time at 80% money for over six years now.

Why?

The core idea is that spare time is worth more to me than salary can make up for. A pile of money at 60 is not going to me buy back time I wish I had when I was younger — time that I could spend now.

When I started, one day off allowed me taking Spanish classes at working hours. If I'd need to explain why I let go of 20% the money, I'd list to do it to…

  • keep my battery charged and reduce risk of burnout,

  • have e.g. dentist appointments without taking time off or stressing myself about being back in time,

  • work on free software and get personal todos done outside the weekend, and

  • spend more time on learning new things.

Which of these benefits are in the interest of my employer?

All of them.

Disagree? Have something to add? Drop me a mail at sebastian@pipping.org.