For readers new to Expat: libexpat is a fast streaming XML parser. Alongside libxml2, Expat is one of the most widely used software libre XML parsers written in C, precisely C99. It is cross-platform and licensed under the MIT license.
has been released
Most importantly, this release fixes two security issues —
and CVE-2023-52426 —
that can be used to cause denial of service.
There are also non-security bugfixes,
many improvements to the two official build systems
— GNU Autotools and CMake —,
enhancements to the documentation and
the xmlwf command line tool,
new example code
hardened CI security,
and many improvements more,
both above and below water level.
For more details, please
check out the change log.
While these are not new learnings, to me this release proved once more that OSS-Fuzz and fuzzing keeps uncovering actual and surprising bugs, and that Clang's AddressSanitizer and UndefinedBehaviorSanitizer have become invaluable to the C/C++ community and can hardly be over-promoted.
If you maintain Expat packaging or a bundled copy of Expat or a pinned version of Expat somewhere, please update to 2.6.0. Thank you!