Removed rpms
============
- alsa-plugins-pulse-32bit
- alsa-oss-32bit
- cyrus-sasl-gssapi-32bit
- fontconfig-32bit
- glibc-locale-32bit
- glibc-locale-base-32bit
- libXau6-32bit
- libattr1-32bit
- libblkid1-32bit
- libbrotlidec1-32bit
- libdw1-32bit
- libexpat1-32bit
- libffi7-32bit
- libgdbm4-32bit
- libgobject-2_0-0-32bit
- libhogweed6-32bit
- liblz4-1-32bit
- libpulse0-32bit
- libtextstyle0-32bit
- libvorbis0-32bit
- nss-mdns-32bit
- pam_pwquality-32bit
- perl-base-32bit
- samba-client-libs-32bit
- qemu-ipxe
- libFLAC8-32bit
- libacl1-32bit
- libaudit1-32bit
- libcrypt1-32bit
- libdbus-1-3-32bit
- libfontconfig1-32bit
- libfreetype6-32bit
- libgmodule-2_0-0-32bit
- libidn2-0-32bit
- libkeyutils1-32bit
- libldb2-32bit
- liblzma5-32bit
- libmagic1-32bit
- libnss_usrfiles2-32bit
- libparted0-32bit
- libpci3-32bit
- libpcre1-32bit
- libpopt0-32bit
- libselinux1-32bit
- libsndfile1-32bit
- libtirpc3-32bit
- libudev1-32bit
- libunistring2-32bit
- libuuid1-32bit
- qemu-vgabios
- samba-client-32bit
Added rpms
==========
- alsa-oss-32bit
- cyrus-sasl-gssapi-32bit
- fontconfig-32bit
- glibc-locale-32bit
- glibc-locale-base-32bit
- alsa-plugins-pulse-32bit
- libFLAC8-32bit
- libacl1-32bit
- libaudit1-32bit
- libcrypt1-32bit
- libdbus-1-3-32bit
- libfontconfig1-32bit
- libfreetype6-32bit
- libgmodule-2_0-0-32bit
- libidn2-0-32bit
- libkeyutils1-32bit
- libldb2-32bit
- liblzma5-32bit
- libmagic1-32bit
- libnss_usrfiles2-32bit
- libparted0-32bit
- libpci3-32bit
- libpcre1-32bit
- libpopt0-32bit
- libselinux1-32bit
- libsndfile1-32bit
- libtirpc3-32bit
- libudev1-32bit
- libunistring2-32bit
- libuuid1-32bit
- samba-client-32bit
- qemu-vgabios
- libXau6-32bit
- libattr1-32bit
- libblkid1-32bit
- libbrotlidec1-32bit
- libdw1-32bit
- libexpat1-32bit
- libffi7-32bit
- libgdbm4-32bit
- libgobject-2_0-0-32bit
- libhogweed6-32bit
- liblz4-1-32bit
- libpulse0-32bit
- libtextstyle0-32bit
- libvorbis0-32bit
- nss-mdns-32bit
- pam_pwquality-32bit
- perl-base-32bit
- qemu-ipxe
- samba-client-libs-32bit
Package Source Changes
======================
acl
-- test: Add helper library to fake passwd/group files
-- quote: escape literal backslashes (bsc#953659).
-- Added patch:
- * 0001-test-Add-helper-library-to-fake-passwd-group-files.patch
- * 0002-quote-escape-literal-backslashes.patch
-
-- refresh acl-2.2.52-tests.patch to work with perl 5.26
-
-- BuildRequires gettext-tools-mini instead of gettext-tools: as
- acl is part of the bootstrap, we want to try to keep the dep
- chain as small as possible.
-
-- Remove --with-pic that's just for static libraries.
-- Replace %__-type macro indirections.
- Replace old $RPM_ by their macro equivalents for consistency.
- Make the macro style consistent across the file again.
-
-- reenable full Larg File Support for i586
-
-- Make it possible to disable tests (for Ring0)
-- Add BuildRequires: system-user-daemon for the testsuite
-
-- Add BuildRequires for system user bin needed by test suite
-
-- Update to git snapshot dated 21 Sep 2015.
- - Added:
- * 0001-Install-the-libraries-to-the-appropriate-directory.patch
- * 0002-setfacl.1-fix-typo-inclu-de-include.patch
- * 0003-test-fix-insufficient-quoting-of.patch
- * 0004-Makefile-rename-configure.in-to-configure.ac.patch
- * 0005-Bad-markup-in-acl.5-page.patch
- * 0006-.gitignore-ignore-and-config.h.in.patch
- * 0007-Use-autoreconf-rather-than-autoconf-to-regenerate-th.patch
- * 0008-libacl-Make-sure-that-acl_from_text-always-sets-errn.patch
- * 0009-libacl-fix-SIGSEGV-of-getfacl-e-on-overly-long-group.patch
- * 0010-punt-debian-rpm-packaging-logic.patch
- * 0011-move-gettext-logic-into-misc.h.patch
- * 0012-test-make-running-parallel-out-of-tree-safe.patch
- * 0013-modernize-build-system.patch
- * 0014-po-regenerate-files-after-move.patch
- * 0015-build-drop-aclincludedir-use-pkgincludedir.patch
- * 0016-build-make-use-of-an-aux-dir-to-stow-away-helper-scr.patch
- * 0017-build-ship-a-pkgconfig-file-for-libacl.patch
- * 0018-read_acl_-comments-seq-rename-line-to-lineno.patch
- * 0019-read_acl_-comments-seq-switch-to-next_line.patch
- * 0020-telldir-return-value-and-seekdir-second-parameters-a.patch
- * 0021-mark-libmisc-funcs-as-hidden-so-they-are-not-exporte.patch
- * 0022-add-__acl_-prefixes-to-internal-symbols.patch
- * 0023-cp.test-Check-permissions-of-the-right-file.patch
- * 0024-libacl-acl_set_file-Remove-unnecesary-racy-check.patch
- * 0025-fix-compilation-with-latest-xattr-git.patch
- * 0026-getfacl-Fix-memory-leak.patch
- * 0027-Fix-the-display-block-nesting-in-acl.5.patch
- * 0028-setfacl-man-page-Minor-wording-improvements.patch
- * 0029-getfacl-Fix-minor-resource-leak.patch
- * 0030-Do-not-export-symbols-that-are-not-supposed-to-be-ex.patch
- * 0031-walk_tree-mark-internal-variables-as-static.patch
- * 0032-ignore-configure.lineno.patch
-- Signficant spec file restructuring due to 0013-modernize-build-system.patch
-- removed builddefs.in.diff
-
-- Reduce size of filelist by using wildcards;
- remove %doc (some locations are always %doc),
- remove %attr (files already have proper permissions)
-
-- add acl-2.2.52-tests.patch and enable tests, check section taken
- from Fedora package
-
-- remove gpg-offline calls from bootstrap package
-
-- Update to new upstream release 2.2.52
- * This release fixes a few build system issues that were found and
- merges in a tree walking bug fix.
-- Remove acl-fiximplicit.patch (merged upstream),
- config-guess-sub-update.diff (no longer applies)
-- Sync baselibs.conf with in-.spec obsoletes/provides.
-
-- add gpg checking
-
-- use source url
-
-- Add config-guess-sub-update.diff:
- update config.guess/sub to latest state for AArch64
-
-- Use OS byteswapping routines, application already Includes
- "endian.h" but then goes ahead defining ad-hoc equivalent
- functionality (0001-Use-OS-byteswapping-macros.patch)
-
-- remove useless automake deps
-
-- patch license to follow spdx.org standard
-
-- license update: GPL-2.0+;LGPL-2.1+
- SPDX format
-
-- add automake as buildrequire to avoid implicit dependency
-
-- Fix provides/Obsoletes
-
-- Implement shlib package (libacl1)
-- Enable libacl-devel on all baselib arches
-
-- upgrade to 2.2.51
- - Test fixes
-
-- upgrade to 2.2.50
- - OPTIONS in man pages should be a section heading, not a subsection heading
- - Fix a typo in the setfacl man page
- - setfacl: Clarify that removing a non-existent acl entry is not an error
- - Prevent setfacl --restore from SIGSEGV on malformed restore file
- - setfacl: make sure that -R only calls stat(2) on symlinks when it needs to
- - libacl: fix potential null pointer dereference
- - setfacl: fix restore crash on malformed input
- - setfacl: print useful error from read_acl_comments
- - setfacl: changing owner and when S_ISUID should be set --restore fix
-
-- use %_smp_mflags
-
-- add baselibs.conf as a source
-- adjust baselibs.conf for SPARC
-
-- readded incorrectly removed libattr-devel requires in -devel
-
-- fixed implicit strchr() usage.
-
-- do not package static libraries
-- fix -devel package dependencies
-
-- Version bump to 2.2.48
- - Document the new flags comments
- - Include the S_ISUID, S_ISGID, S_ISVTX flags in the getfacl output, and restore them with "setfacl --restore=file".
- - Make sure that getfacl -R only calls stat(2) on symlinks when it needs to
- - Stop quoting nonprintable characters in the getfacl output
- - Avoid unnecessary but destructive chown calls
- - Clarify license notice
-
alsa-oss
+- use https for urls
+
+- Drop the superfluous buildreq alsa-topology-devel again;
+ it's no longer mandatory
+
+- Fix build breakage by the new alsa update; now it requires
+ alsa-topology-devel
+
+- Avoid repetition of name in summary. Update description.
+
+- Update to alsa-oss 1.1.8 (bsc#1181571):
+ Fix the build with the recent glibc
+- Remove obsoleted patch:
+ remove-libio.patch:
+
+- remove-libio.patch: don't use obsolete <libio.h>
+
+- Remove old kludges
+- Run spec-cleaner
+
+- Update to alsa-oss 1.1.6:
+ * Change FSF address (Franklin Street)
+- Use %license file tag
+
+- Updated to alsa-oss 1.0.28:
+ All pervious fix patches are obsoleted:
+ 0002-Add-AM_MAINTAINER_MODE-enable-to-configure.in.patch
+ 0003-Fix-the-argument-passed-to-snd_pcm_dump_setup.patch
+ 0004-Workaround-for-aoss-dmix-with-unaligned-rates.patch
+
+- Fix for dmix with unaligned sample rate:
+ 0003-Fix-the-argument-passed-to-snd_pcm_dump_setup.patch
+ 0004-Workaround-for-aoss-dmix-with-unaligned-rates.patch
+
branding-openSUSE
+- use path->union for fonts in logo boo#1203394
+
+- Bump to 15.5
+- Supply new Wallpaper Issue#132
+
expat
+- Security fixes:
+ * (CVE-2022-25236, bsc#1196784) [>=2.4.5] Fix to CVE-2022-25236
+ breaks biboumi, ClairMeta, jxmlease, libwbxml,
+ openleadr-python, rnv, xmltodict
+ - Added expat-CVE-2022-25236-relax-fix.patch
+
+- Security fixes:
+ * (CVE-2022-25236, bsc#1196025) Expat before 2.4.5 allows
+ attackers to insert namespace-separator characters into
+ namespace URIs
+ - Added expat-CVE-2022-25236.patch
+ * (CVE-2022-25235, bsc#1196026) xmltok_impl.c in Expat before
+ 2.4.5 does not check whether a UTF-8 character is valid in a
+ certain context.
+ - Added expat-CVE-2022-25235.patch
+ * (CVE-2022-25313, bsc#1196168) Stack exhaustion in
+ build_model() via uncontrolled recursion
+ - Added expat-CVE-2022-25313.patch
+ - The fix upstream introduced a regression that was later
+ amended in 2.4.6 version
+ + Added expat-CVE-2022-25313-fix-regression.patch
+ * (CVE-2022-25314, bsc#1196169) Integer overflow in copyString
+ - Added expat-CVE-2022-25314.patch
+ * (CVE-2022-25315, bsc#1196171) Integer overflow in storeRawNames
+ - Added expat-CVE-2022-25315.patch
+
+- Update to latest version 2.4.4 in SLE-15-SP4 [jsc#SLE-21253]
+
+- update to 2.4.4 (bsc#1195217, bsc#1195054):
+ * Security fixes:
+ - CVE-2022-23852 -- Fix signed integer overflow
+ (undefined behavior) in function XML_GetBuffer
+ that is also called by function XML_Parse internally)
+ for when XML_CONTEXT_BYTES is defined to >0 (which is both
+ common and default).
+ Impact is denial of service or more.
+ - CVE-2022-23990 -- Fix unsigned integer overflow in function
+ doProlog triggered by large content in element type
+ declarations when there is an element declaration handler
+ present (from a prior call to XML_SetElementDeclHandler).
+ Impact is denial of service or more.
+ * Bug fixes:
+ - xmlwf: Fix a memory leak on output file opening error
+ * Other changes:
+ - Version info bumped from 9:3:8 to 9:4:8;
+ see https://verbump.de/ for what these numbers do
+ * Drop unused file valid-xhtml10.png
+
+- update to 2.4.3 (bsc#1194251, bsc#1194362, bsc#1194474,
+ bsc#1194476, bsc#1194477, bsc#1194478, bsc#1194479, bsc#1194480):
+ * CVE-2021-45960 -- Fix issues with left shifts by >=29 places
+ resulting in
+ a) realloc acting as free
+ b) realloc allocating too few bytes
+ c) undefined behavior
+ depending on architecture and precise value
+ for XML documents with >=2^27+1 prefixed attributes
+ on a single XML tag a la
+ "<r xmlns:a='[..]' a:a123='[..]' [..] />"
+ where XML_ParserCreateNS is used to create the parser
+ (which needs argument "-n" when running xmlwf).
+ Impact is denial of service, or more.
+ * CVE-2021-46143 (ZDI-CAN-16157) -- Fix integer overflow
+ on variable m_groupSize in function doProlog leading
+ to realloc acting as free.
+ Impact is denial of service or more.
+ * CVE-2022-22822 to CVE-2022-22827 -- Prevent integer overflows
+ near memory allocation at multiple places. Mitre assigned
+ a dedicated CVE for each involved internal C function:
+ - CVE-2022-22822 for function addBinding
+ - CVE-2022-22823 for function build_model
+ - CVE-2022-22824 for function defineAttribute
+ - CVE-2022-22825 for function lookup
+ - CVE-2022-22826 for function nextScaffoldPart
+ - CVE-2022-22827 for function storeAtts
+ Impact is denial of service or more.
+
+- update to 2.4.2:
+ * Link againgst libm for function "isnan"
+ * Include expat_config.h as early as possible
+ * Autotools: Include files with release archives:
+ - buildconf.sh
+ - fuzz/*.c
+ * Autotools: Sync CMake templates
+ * docs: Document that function XML_GetBuffer may return NULL
+ when asking for a buffer of 0 (zero) bytes size
+ * docs: Fix return value docs for both
+ XML_SetBillionLaughsAttackProtection* functions
+ * Version info bumped from 9:1:8 to 9:2:8
+
+- Update to 2.4.1 in SLE-15-SP4 [jsc#SLE-21253]
+ * Remove expat-CVE-2018-20843.patch upstream
+
+- Update to 2.4.1:
+ * Bug fixes:
+ - Autotools: Fix installed header expat_config.h for multilib
+ systems; regression introduced in 2.4.0 by pull request #486
+ * Other changes:
+ - Version info bumped from 9:0:8 to 9:1:8; see
+ https://verbump.de/ for what these numbers do
+
+- Update to 2.4.0: [CVE-2013-0340 "Billion Laughs"]
+ * Security fixes:
+ - CVE-2013-0340/CWE-776 -- Protect against billion laughs attacks
+ (denial-of-service; flavors targeting CPU time or RAM or both,
+ leveraging general entities or parameter entities or both)
+ by tracking and limiting the input amplification factor
+ (<amplification> := (<direct> + <indirect>) / <direct>).
+ By conservative default, amplification up to a factor of 100.0
+ is tolerated and rejection only starts after 8 MiB of output bytes
+ (=<direct> + <indirect>) have been processed.
+ The fix adds the following to the API:
+ - A new error code XML_ERROR_AMPLIFICATION_LIMIT_BREACH to
+ signals this specific condition.
+ - Two new API functions ..
+ - XML_SetBillionLaughsAttackProtectionMaximumAmplification and
+ - XML_SetBillionLaughsAttackProtectionActivationThreshold
+ .. to further tighten billion laughs protection parameters
+ when desired. Please see file "doc/reference.html" for details.
+ If you ever need to increase the defaults for non-attack XML
+ payload, please file a bug report with libexpat.
+ - Two new XML_FEATURE_* constants ..
+ - that can be queried using the XML_GetFeatureList function, and
+ - that are shown in "xmlwf -v" output.
+ - Two new environment variable switches ..
+ - EXPAT_ACCOUNTING_DEBUG=(0|1|2|3) and
+ - EXPAT_ENTITY_DEBUG=(0|1)
+ .. for runtime debugging of accounting and entity processing.
+ Specific behavior of these values may change in the future.
+ - Two new command line arguments "-a FACTOR" and "-b BYTES"
+ for xmlwf to further tighten billion laughs protection
+ parameters when desired.
+ If you ever need to increase the defaults for non-attack XML
+ payload, please file a bug report with libexpat.
+ * Bug fixes:
+ - For (non-default) compilation with -DEXPAT_MIN_SIZE=ON (CMake)
+ or CPPFLAGS=-DXML_MIN_SIZE (GNU Autotools): Fix segfault
+ for UTF-16 payloads containing CDATA sections.
+ - Autotools: Fix generated CMake files for non-64bit and
+ non-Linux platforms (e.g. macOS and MinGW in particular)
+ that were introduced with release 2.3.0
+ * Other changes:
+ - xmlwf: Improve help output and the xmlwf man page
+ - xmlwf: Improve maintainability through some refactoring
+ - xmlwf: Fix man page DocBook validity
+ - CMake: Support absolute paths for both CMAKE_INSTALL_LIBDIR
+ and CMAKE_INSTALL_INCLUDEDIR
+ - CMake: Add support for standard variable BUILD_SHARED_LIBS
+ - Unexpose symbol _INTERNAL_trim_to_complete_utf8_characters
+ - Resolve macro HAVE_EXPAT_CONFIG_H
+ - Delete unused legacy helper file "conftools/PrintPath"
+ - doc/reference.html: Fix XHTML validity
+ - doc/reference.html: Replace the 90s look by OK.css
+ - Version info bumped from 8:0:7 to 9:0:8 due to addition of
+ new symbols and error codes; see https://verbump.de/ for
+ what these numbers do
+
+- Do not BuildRequire cmake: expat is part of the distro bootstrap
+ cycle and any additional dependency makes the ring larger. In
+ this case here, cmake was even only used to own a directory.
+
+- update to 2.3.0:
+ * When calling XML_ParseBuffer without a prior successful call to
+ XML_GetBuffer as a user, no longer trigger undefined behavior
+ (by adding an integer to a NULL pointer) but rather return
+ XML_STATUS_ERROR and set the error code to (new) code
+ XML_ERROR_NO_BUFFER. Found by UBSan (UndefinedBehaviorSanitizer)
+ of Clang 11 (but not Clang 9).
+ * xmlwf: Exit status 2 was used for both:
+ - malformed input files (documented) and
+ - invalid command-line arguments (undocumented).
+ case of invalid command-line arguments now
+ has its own exit status 4, resolving the ambiguity.
+ * Other changes
+
+- Update to 2.2.10:
+ * Bug fixes:
+ - Fix undefined behavior during parsing caused by pointer
+ arithmetic with NULL pointers
+ - Fix reading uninitialized variable during parsing
+ - xmlwf: Add missing check for malloc NULL return
+ * Other changes:
+ - xmlwf: Document exit codes in xmlwf manpage and exit with code 3
+ (rather than code 1) for output errors when used with "-d DIRECTORY"
+ - Autotools: Use -Werror while configure tests the compiler for
+ supported compile flags to avoid false positives
+ - Autotools: Improve handling of user (C|CPP|CXX|LD)FLAGS, e.g.
+ ensure that they have the last word over flags added while
+ running ./configure
+ - CMake: Create libexpatw.{dll,so} and expatw.pc (with emphasis
+ on suffix "w") with -DEXPAT_CHAR_TYPE=(ushort|wchar_t)
+ - CMake: Detect and deny unsupported build combinations
+ involving -DEXPAT_CHAR_TYPE=(ushort|wchar_t)
+ - CMake: Install pre-compiled shipped xmlwf.1 manpage in case
+ of -DEXPAT_BUILD_DOCS=OFF
+ - CMake: Fix use of Expat by means of add_subdirectory
+ - CMake: Keep expat target name constant at "expat" (i.e. refrain
+ from using the target name to control build artifact filenames)
+ - CMake: Expose man page compilation as target "xmlwf-manpage"
+ - CMake: Introduce option EXPAT_BUILD_PKGCONFIG to control
+ generation of pkg-config file "expat.pc"
+ - CMake: Add minimalistic support for building binary packages
+ with CMake target "package"; based on CPack
+ - CMake: Add option -DEXPAT_OSSFUZZ_BUILD=(ON|OFF) with default
+ OFF to build fuzzer code against OSS-Fuzz and related
+ environment variable LIB_FUZZING_ENGINE
+ - Fix testsuite for -DEXPAT_DTD=OFF and -DEXPAT_NS=OFF
+ - Address compiler warnings
+ - Address pngcheck warnings with doc/*.png images: Version info
+ bumped from 7:11:6 to 7:12:6
+
+- Version update to 2.2.9
+ * Other changes:
+ - examples: Drop executable bits from elements.c
+ [#349] Windows: Change the name of the Windows DLLs from expat*.dll
+ to libexpat*.dll once more (regression from 2.2.8, first
+ fixed in 1.95.3, issue #61 on SourceForge today,
+ was issue #432456 back then); needs a fix due
+ case-insensitive file systems on Windows and the fact that
+ Perl's XML::Parser::Expat compiles into Expat.dll.
+ [#347] Windows: Only define _CRT_RAND_S if not defined
+ Version info bumped from 7:10:6 to 7:11:6
+
+- Version update to 2.2.8
+ * Security fixes: (CVE-2019-15903, bsc#1149429)
+ - CVE-2019-15903 -- Fix heap overflow triggered by XML_GetCurrentLineNumber
+ (or XML_GetCurrentColumnNumber), and deny internal entities closing the doctype;
+ * Bug fixes:
+ - Fix cases where XML_StopParser did not have any effect
+ when called from inside of an end element handler
+ - xmlwf: Fix exit code for operation without "-d DIRECTORY";
+ previously, only "-d DIRECTORY" would give you a proper exit code:
+ Now both cases return exit code 2.
+ * Other changes:
+ - examples: Improve elements.c
+ - Autotools: Add argument --enable-xml-attr-info
+ - Autotools: Add arguments --with-getrandom --without-getrandom --with-sys-getrandom --without-sys-getrandom
+ - Autotools: Fix linking issues with "./configure LD=clang"
+ - Autotools: Fix "make run-xmltest" for out-of-source builds
+ - CMake: Pull all options from Expat <=2.2.7 into namespace
+ - CMake: Add argument -DEXPAT_ATTR_INFO=(ON|OFF), default OFF
+ - CMake: Add argument -DEXPAT_LARGE_SIZE=(ON|OFF), default OFF
+ - CMake: Add argument -DEXPAT_MIN_SIZE=(ON|OFF), default OFF
+ - CMake: Add arguments -DEXPAT_WITH_GETRANDOM=(ON|OFF|AUTO), default AUTO
+ - CMake: Add arguments -DEXPAT_WITH_SYS_GETRANDOM=(ON|OFF|AUTO), default AUTO
+ - CMake: Install expat_config.h to include directory
+ - CMake: Generate and install configuration files for future find_package(expat [..] CONFIG [..])
+ - CMake: Now produces a summary of applied configuration
+ - CMake: Require C++ compiler only when tests are enabled
+ - CMake: Fix compilation for 16bit character types, i.e. ex -DXML_UNICODE=ON (and ex -DXML_UNICODE_WCHAR_T=ON)
+ - CMake: Port "make run-xmltest" from GNU Autotools to CMake
+ - CMake: Integrate OSS-Fuzz fuzzers, option -DEXPAT_BUILD_FUZZERS=(ON|OFF), default OFF
+- Removed patches fixed in the update:
+ * expat-CVE-2019-15903.patch
+ * expat-CVE-2019-15903-tests.patch
+
+- Security fix (CVE-2019-15903, bsc#1149429)
+ * Crafted XML input results in heap-based buffer over-read by fooling
+ the parser into changing from DTD parsing to document parsing
+ * Added patches:
+ - expat-CVE-2019-15903.patch
+ - expat-CVE-2019-15903-tests.patch
+
+- Version update to 2.2.7 (CVE-2018-20843, bsc#1139937)
+ * Security fixes:
+ - CVE-2018-20843 - Fix extraction of namespace prefixes from
+ XML names; XML names with multiple colons could end up in
+ the wrong namespace, and take a high amount of RAM and CPU
+ resources while processing, opening the door to use for
+ denial-of-service attacks
+ * Other changes:
+ - Autotools/CMake: Utilize -fvisibility=hidden to stop
+ exporting non-API symbols
+ - Autotools: Add --without-examples and --without-tests
+ - Autotools: Modernize configure.ac
+ - Autotools: Fix check for -fvisibility=hidden for Clang
+ - Autotools: Fix compilation for lack of docbook2x-man
+ - CMake: Make libdir of pkgconfig expat.pc support multilib
+ - CMake: Build man page in PROJECT_BINARY_DIR not _SOURCE_DIR
+ - Remove fallback to bcopy, assume that memmove(3) exists
+- Removed expat-2.2.6-fix-make-clean.patch
+
+- Add expat-2.2.6-fix-make-clean.patch
+- Allow profile guided optimization again
+
+- Drop docbook2x dependency, the manpages are generated in
+ the upstream archive and this way we break buildcycle
+
+- Version update to 2.2.6 Sun August 12 2018
+ * Bug fixes:
+ - Avoid doing arithmetic with NULL pointers in XML_GetBuffer
+ - Fix 2.2.5 regression with suspend-resume while parsing
+ a document like '<root/>'
+ * Other changes:
+ - Autotools: Fix docbook-related configure syntax error
+ - Autotools: Avoid grep option `-q` for Solaris
+ - Autotools: Support
+ ./configure DOCBOOK_TO_MAN="xmlto man --skip-validation"
+ - Autotools: Support DOCBOOK_TO_MAN command which produces
+ xmlwf.1 rather than XMLWF.1; also covers case insensitive
+ file systems
+ - Autotools: Drop -rpath option passed to libtool
+ - Autotools: Detect and deny SGML docbook2man as ours is XML
+ - Autotools/CMake: Support command db2x_docbook2man as well
+ - CMake: Introduce option WARNINGS_AS_ERRORS, defaults to OFF
+ - CMake: Introduce option MSVC_USE_STATIC_CRT, defaults to OFF
+ - CMake: Introduce option XML_UNICODE and XML_UNICODE_WCHAR_T,
+ both defaulting to OFF
+ - CMake: Prefer check_symbol_exists over check_function_exists
+ - CMake: Create the same pkg-config file as with GNU Autotools
+ - CMake: Use GNUInstallDirs module to set proper defaults for
+ install directories
+ - CMake: Utilize expat_config.h.cmake for XML_DEV_URANDOM
+ - Address compiler warnings
+ - Fix miscellaneous typos
+
+- Expand description of expat-devel.
+
+- Do not generate manpages from docbook
+- Temporarily disable profiling due to bug in build system
+
+- Version update to 2.2.5 Tue October 31 2017
+ * Bug fixes:
+ - If the parser runs out of memory, make sure its internal
+ state reflects the memory it actually has, not the memory
+ it wanted to have.
+ - The default handler wasn't being called when it should for
+ a SYSTEM or PUBLIC doctype if an entity declaration handler
+ was registered.
+ - Fix a case of mistakenly reported parsing success where
+ XML_StopParser was called from an element handler
+ - Function XML_ErrorString was returning NULL rather than
+ a message for code XML_ERROR_INVALID_ARGUMENT
+ introduced with release 2.2.1
+ * Other changes:
+ - Add argument -N adding notation declarations
+ - various compiler-specific fixes
+ - Improve docbook2x-man detection
+- drop expat-docbook.patch
+ * fixed in 0f5186c7b8e503c669e332d944712de010b265f3
+- switch to github for release tarballs and website
+
+- Version update to 2.2.4 Sat August 19 2017
+ * Bug fixes:
+ [#115] Fix copying of partial characters for UTF-8 input
+ * Other changes:
+ [#109] Fix "make check" for non-x86 architectures that default
+ to unsigned type char (-128..127 rather than 0..255)
+ [#109] coverage.sh: Cover -funsigned-char
+ Autotools: Introduce --without-xmlwf argument
+ [#65] Autotools: Replace handwritten Makefile with GNU Automake
+ [#43] CMake: Auto-detect high quality entropy extractors, add new
+ option USE_libbsd=ON to use arc4random_buf of libbsd
+ [#74] CMake: Add -fno-strict-aliasing only where supported
+ [#114] CMake: Always honor manually set BUILD_* options
+ [#114] CMake: Compile man page if docbook2x-man is available, only
+ [#117] Include file tests/xmltest.log.expected in source tarball
+ (required for "make run-xmltest")
+ [#111] Fix some typos in documentation
+ Version info bumped from 7:5:6 to 7:6:6
+- Release 2.2.3 Wed August 2 2017
+ * Bug fixes:
+ [#85] Fix a dangling pointer issue related to realloc
+ * Other changes:
+ [#91] Linux: Allow getrandom to fail if nonblocking pool has not
+ yet been initialized and read /dev/urandom then, instead.
+ This is in line with what recent Python does.
+ [#86] Check that a UTF-16 encoding in an XML declaration has the
+ right endianness
+ [#4] #5 #7 Recover correctly when some reallocations fail
+ Repair "./configure && make" for systems without any
+ provider of high quality entropy
+ and try reading /dev/urandom on those
+ Ensure that user-defined character encodings have converter
+ functions when they are needed
+ Fix mis-leading description of argument -c in xmlwf.1
+ Rely on macro HAVE_ARC4RANDOM_BUF (rather than __CloudABI__)
+ for CloudABI
+ [#100] Fix use of SIPHASH_MAIN in siphash.h
+ [#23] Test suite: Fix memory leaks
+ Version info bumped from 7:4:6 to 7:5:6
+- Release 2.2.2 Wed July 12 2017
+ * Security fixes:
+ [#43] Protect against compilation without any source of high
+ quality entropy enabled, e.g. with CMake build system;
+ * [MOX-006] Fix non-NULL parser parameter validation in XML_Parse;
+ resulted in NULL dereference, previously;
+ * Bug fixes:
+ [#69] Fix improper use of unsigned long long integer literals
+ * Other changes:
+ [#73] Start requiring a C99 compiler
+ [#49] Fix "==" Bashism in configure script
+ [#58] Address compile warnings
+ [#68] Fix "./buildconf.sh && ./configure" for some versions
+ of Dash for /bin/sh
+ [#72] CMake: Ease use of Expat in context of a parent project
+ with multiple CMakeLists.txt files
+ [#72] CMake: Resolve mistaken executable permissions
+ [#76] Address compile warning with -DNDEBUG (not recommended!)
+ [#77] Address compile warning about macro redefinition
+ * Added patch expat-docbook.patch to compile the man pages with
+ docbook-to-man
+ * Cleaned spec file with spec-cleaner
+
+- Allow building when do_profiling is undefined
+
+- Build with profiling when possible
+
+- Version update to 2.2.1 Sat June 17 2017
+ - Security fixes:
+ CVE-2017-9233 / bsc#1047236 -- External entity infinite loop DoS
+ Details: https://libexpat.github.io/doc/cve-2017-9233/
+ Commit c4bf96bb51dd2a1b0e185374362ee136fe2c9d7f
+ - [MOX-002] CVE-2016-9063 / bsc#1047240 -- Detect integer overflow;
+ (Fixed version of existing downstream patches!)
+ - (SF.net) #539 Fix regression from fix to CVE-2016-0718 cutting off
+ longer tag names;
+ [#25] More integer overflow detection (function poolGrow);
+ - [MOX-002] Detect overflow from len=INT_MAX call to XML_Parse;
+ - [MOX-005] #30 Use high quality entropy for hash initialization:
+ * arc4random_buf on BSD, systems with libbsd
+ (when configured with --with-libbsd), CloudABI
+ * RtlGenRandom on Windows XP / Server 2003 and later
+ * getrandom on Linux 3.17+
+ In a way, that's still part of CVE-2016-5300.
+ https://github.com/libexpat/libexpat/pull/30/commits
+ - [MOX-005] For the low quality entropy extraction fallback code,
+ the parser instance address can no longer leak,
+ - [MOX-003] Prevent use of uninitialised variable; commit
+ - [MOX-004] a4dc944f37b664a3ca7199c624a98ee37babdb4b
+ Add missing parameter validation to public API functions
+ and dedicated error code XML_ERROR_INVALID_ARGUMENT:
+ - [MOX-006] * NULL checks; commits
+ * Negative length (XML_Parse); commit
+ - [MOX-002] 70db8d2538a10f4c022655d6895e4c3e78692e7f
+ - [MOX-001] #35 Change hash algorithm to William Ahern's version of SipHash
+ to go further with fixing CVE-2012-0876.
+ https://github.com/libexpat/libexpat/pull/39/commits
+ - Bug fixes:
+ [#32] Fix sharing of hash salt across parsers;
+ relevant where XML_ExternalEntityParserCreate is called
+ prior to XML_Parse, in particular (e.g. FBReader)
+ [#28] xmlwf: Auto-disable use of memory-mapping (and parsing
+ as a single chunk) for files larger than ~1 GB (2^30 bytes)
+ rather than failing with error "out of memory"
+ [#3] Fix double free after malloc failure in DTD code; commit
+ 7ae9c3d3af433cd4defe95234eae7dc8ed15637f
+ [#17] Fix memory leak on parser error for unbound XML attribute
+ prefix with new namespaces defined in the same tag;
+ found by Google's OSS-Fuzz; commits
+ xmlwf on Windows: Add missing calls to CloseHandle
+ - New features:
+ [#30] Introduced environment switch EXPAT_ENTROPY_DEBUG=1
+ for runtime debugging of entropy extraction
+ Bump version info from 7:2:6 to 7:3:6
+
+- Remove pointless --with-pic (for static only)
+
+- Version update to 2.2.0:
+ * Fixes bnc#983215 CVE-2012-6702
+ * Fixes bnc#983216 CVE-2016-5300
+ * Various cmake and autotools script updates
+ * Fix detection of utf8 character boundaries
+- Remove all patches merged upstream:
+ * expat-2.1.1-avoid_relying_on_undef_behaviour.patch
+ * expat-2.1.1-parser_crashes_on_malformed_input.patch
+ * expat-alloc-size.patch
+ * expat-visibility.patch
+
+- add expat-2.1.1-avoid_relying_on_undef_behaviour.patch to avoid
+ relying on undefined behavior in the original CVE-2015-1283 fix
+ [bnc#980391], [bnc#983985], [CVE-2016-4472]
+- add expat-2.1.1-parser_crashes_on_malformed_input.patch to fix
+ Expat XML parser that mishandles certain kinds of malformed input
+ documents [bnc#979441], [CVE-2016-0718]
+- use spec-cleaner to clean specfile
+
+- After simplification of expat-visibility.patch, it became
+ uneffective as no symbols are getting hidden. add
+ - fvisibility=hidden to CFLAGS again.
+- expat-alloc-size.patch: fix braino, realloc()-like functions
+ should not take __attribute__(malloc)
+
+- Update to version 2.1.1
+ * Fixes CVE-2015-1283 — Multiple integer overflows in the
+ XML_GetBuffer function
+ * Fix potential null pointer dereference
+ * Symbol XML_SetHashSalt was not exported
+ * Output of xmlwf -h was incomplete
+ * Document behavior of calling XML_SetHashSalt with salt 0
+ * Minor improvements to man page xmlwf(1)
+- Simplify expat-visibility.patch, refresh expat-alloc-size.patch
+- Drop config-guess-sub-update.patch, fixed upstream.
+
+- Cleanup spec file with spec-cleaner
+- Remove old ppc obsoletes/provides
+
flac
-- Fix out of bound write in append_to_verify_fifo_interleaved_
- (CVE-2021-0561 bsc#1196660):
- libFlac-Exit-at-EOS-in-verify-mode.patch
-
-- Fix memory leak (CVE-2020-0487 bsc#1180112):
- stream_decoder.c-Fix-a-memory-leak.patch
-
-- Fix out-of-bounds access (CVE-2020-0499 bsc#1180099):
- libFLAC-bitreader.c-Fix-out-of-bounds-read.patch
-
-- Fix memory leak in read_metadata_vorbiscomment_() function
- (CVE-2017-6888, bsc#1091045):
- flac-CVE-2017-6888.patch
-
-- Update to version 1.3.2
- * Fix undefined behaviour using GCC/Clang UBSAN (erikd).
- * General hardening via fuzz testing with AFL (erikd and
- others).
- * General code improvements (lvqcl, erikd and others).
- * Add FLAC in MP4 specification docs (Ralph Giles).
- * Fix some cppcheck warnings (erikd).
- * Assume all currently used OSes support SSE2.
- flac:
- * Fix potential infinite loop on flac-to-flac conversion
- (erikd).
- * Add WAVEFORMATEXTENSIBLE to WAV (as needed) when
- decoding (lvqcl).
- * Only write vorbis-comments if they are non-empty.
- * Error out if decoding RAW with bits != (8|16|24).
- metaflac:
- * Add --scan-replay-gain option.
- libraries:
- * CPU detection cleanup and fixes (Julian Calaby, erikd
- and lvqcl).
- * Fix two stream decoder bugs (Max Kellermann).
- * Fix a NULL dereference bug (on a malformed file).
- * Changed the LPC order guess for a slight compression
- improvement, particularly for classical music
- (Martijn van Beurden).
- * Improved encoding speed on older Intel CPUs.
- * Fixed a seeking bug when decoding certain files
- (Miroslav Lichvar).
- * Put an upper bound (32768) on the number of seek
- points.
- * Fix potential memory leaks.
- * Support 64bit brword/bwword allowing
- FLAC__BYTES_PER_WORD to be set to 8 (disabled by
- default).
- * Fix an out-of-bounds heap read.
-- Refreshed flac-cflags.patch
-
-- Drop patch that should be upstreamed first, otherwise we will
- have to keep it ofrever:
- * flac-ocloexec.patch
-- Drop wrong patch:
- * flac-fix-pkgconfig.patch
- + If using this change you get assert.h include overriden in your
- project by the one from FLAC/ which is not what upstream desired
- If packages fail to build they should fix their include
-
-- Build documentation as noarch
-
-- Cleanup spec file with spec-cleaner
-- Update url
-- Remove no longer needed patches
- * flac-fix-CVE-2014-8962.patch
- * flac-fix-CVE-2014-9028.patch
- * 0001-getopt_long-not-broken-here.patch
-- Remove following as benefit of using openssl is small
- * 0001-Allow-use-of-openSSL.patch
-- Add flac-cflags.patch
-- Use doxygen to build documentation
-- Split documentation to separate package
-- Update to 1.3.1
- * Improved decoding efficiency of all bit depths but especially
- so for 24 bits for IA32 architecture (lvqcl and Miroslav Lichvar).
- * Faster encoding using SSE and AVX (lvqcl).
- * Fixed bartlett, bartlett_hann and triangle functions.
- * New apodization functions partial_tukey and punchout_tukey for
- improved compression (Martijn van Beurden).
- * Retuned compression presets to incorporate new apodization
- functions (Martijn van Beurden).
- * Fix -Wcast-align warnings on armhf architecture (Erik de
- Castro Lopo).
- * Help output documentation improvements.
- * I/O buffering improvements on Windows to reduce disk
- fragmentation when writing files.
- * Only write vorbis-comments if they are non-empty.
- * Fix symbol visibility in XMMS plugin.
- * Many fixes and improvements across all the build systems.
- * Fix CVE-2014-9028 (heap write overflow) and CVE-2014-8962
- (heap read overflow)
-
-- A couple of security fixes:
- * flac-fix-CVE-2014-8962.patch:
- arbitrary code execution by a stack overflow (CVE-2014-8962,
- bnc#906831)
- * flac-fix-CVE-2014-9028.patch:
- Heap overflow via specially crafted .flac files (CVE-2014-9028,
- bnc#907016)
-
-- Update to final upstream release 1.3.0
- * No user-visible changes
-- More robust make install call
-
freetype2
-- Add CVE-2020-15999.patch to fix a heap buffer overflow has been
- found in the handling of embedded PNG bitmaps
- CVE-2020-15999 bsc#1177914
-
-- Use the compiler default C std, since 2012 gcc defaults
- have changed, we now only need to get rid of ANSIFLAGS, override
- that variable instead.
-
-- Update to version 2.10.1
- * The bytecode hinting of OpenType variation fonts was flawed, since
- the data in the `CVAR' table wasn't correctly applied.
- * Auto-hinter support for Mongolian.
- * The handling of the default character in PCF fonts as introduced
- in version 2.10.0 was partially broken, causing premature abortion
- of charmap iteration for many fonts.
- * If `FT_Set_Named_Instance' was called with the same arguments
- twice in a row, the function returned an incorrect error code the
- second time.
- * Direct rendering using FT_RASTER_FLAG_DIRECT crashed (bug
- introduced in version 2.10.0).
- * Increased precision while computing OpenType font variation
- instances.
- * The flattening algorithm of cubic Bezier curves was slightly
- changed to make it faster. This can cause very subtle rendering
- changes, which aren't noticeable by the eye, however.
- * The auto-hinter now disables hinting if there are blue zones
- defined for a `style' (i.e., a certain combination of a script and
- its related typographic features) but the font doesn't contain any
- characters needed to set up at least one blue zone.
-- Add tarball signatures and freetype2.keyring
-
-- Update to version 2.10.0
- * A bunch of new functions has been added to access and process
- COLR/CPAL data of OpenType fonts with color-layered glyphs.
- * As a GSoC 2018 project, Nikhil Ramakrishnan completely
- overhauled and modernized the API reference.
- * The logic for computing the global ascender, descender, and
- height of OpenType fonts has been slightly adjusted for
- consistency.
- * `TT_Set_MM_Blend' could fail if called repeatedly with the same
- arguments.
- * The precision of handling deltas in Variation Fonts has been
- increased.The problem did only show up with multidimensional
- designspaces.
- * New function `FT_Library_SetLcdGeometry' to set up the geometry
- of LCD subpixels.
- * FreeType now uses the `defaultChar' property of PCF fonts to set
- the glyph for the undefined character at glyph index 0 (as
- FreeType already does for all other supported font formats). As
- a consequence, the order of glyphs of a PCF font if accessed
- with FreeType can be different now compared to previous
- versions.
- This change doesn't affect PCF font access with cmaps.
- * `FT_Select_Charmap' has been changed to allow parameter value
- `FT_ENCODING_NONE', which is valid for BDF, PCF, and Windows FNT
- formats to access built-in cmaps that don't have a predefined
- `FT_Encoding' value.
- * A previously reserved field in the `FT_GlyphSlotRec' structure
- now holds the glyph index.
- * The usual round of fuzzer bug fixes to better reject malformed
- fonts.
- * `FT_Outline_New_Internal' and `FT_Outline_Done_Internal' have
- been removed.These two functions were public by oversight only
- and were never documented.
- * A new function `FT_Error_String' returns descriptions of error
- codes if configuration macro FT_CONFIG_OPTION_ERROR_STRINGS is
- defined.
- * `FT_Set_MM_WeightVector' and `FT_Get_MM_WeightVector' are new
- functions limited to Adobe MultiMaster fonts to directly set and
- get the weight vector.
-
-- Remove old ppc64 parts in spec file
-- Refresh patches:
- + bugzilla-308961-cmex-workaround.patch
- + don-t-mark-libpng-as-required-library.patch
- + enable-long-family-names-by-default.patch
-- Enable subpixel rendering with infinality config:
- + enable-subpixel-rendering.patch
- + enable-infinality-subpixel-hinting.patch
-
-- Re-enable freetype-config, there is just too many fallouts.
-
-- Update to version 2.9.1
- * Type 1 fonts containing flex features were not rendered
- correctly (bug introduced in version 2.9).
- * CVE-2018-6942: Older FreeType versions can crash with certain
- malformed variation fonts.
- * Bug fix: Multiple calls to `FT_Get_MM_Var' returned garbage.
- * Emboldening of bitmaps didn't work correctly sometimes, showing
- various artifacts (bug introduced in version 2.8.1).
- * The auto-hinter script ranges have been updated for Unicode 11.
- No support for new scripts have been added, however, with the
- exception of Georgian Mtavruli.
-- freetype-config is now deprecated by upstream and not enabled
- by default.
-- Drop upstreamed patches:
- * bnc1079600.patch
- * psaux-flex.patch
- * 0001-src-truetype-ttinterp.c-Ins_GETVARIATION-Avoid-NULL-.patch
- * 0001-truetype-Better-protection-against-invalid-VF-data.patch
-
-- Add bnc1079600.patch: Fix several integer overflow issues in
- truetype/ttinterp.c (bsc#1079600)
-
-- Refresh spec-file via spec-cleaner.
-- Add shell script freetype2.sh in separate package
- freetype2-profile-tti35 in order to be able to set TrueType
- interpreter version 35 (boo#1084085).
-
-- Added patch:
- * enable-long-family-names-by-default.patch
- + Define PCF_CONFIG_OPTION_LONG_FAMILY_NAMES to obtain 2.7.1
- behaviour
-
-- Added patches:
- * 0001-src-truetype-ttinterp.c-Ins_GETVARIATION-Avoid-NULL-.patch
- + Upstream fix for bsc#1079603: Avoid NULL reference in
- src/truetype/ttinterp.c
- * 0001-truetype-Better-protection-against-invalid-VF-data.patch
- + Upstream fix for bsc#1079601: Protection against invalid VF
- data
-
-- Add psaux-flex.patch to fix a regression in Type1 rendering
-
-- Update to version 2.9
- * Advance width values of variation fonts were often wrong.
- * More fixes for variation font support; you should update to
- this version if you want to support them.
- * As a GSoC project, Ewald Hew extended the new (Adobe) CFF
- engine to handle Type 1 fonts also, thus greatly improving
- the rendering of this format. This is the new default.
- * A new function, `FT_Set_Named_Instance', can be used to set
- or change the current named instance.
- * Starting with this FreeType version, resetting variation
- coordinates will return to the currently selected named
- instance. Previously, FreeType returned to the base font
- (i.e., no instance set).
- * Some fuzzer fixes to better reject malformed fonts.
-
-- Update to version 2.8.1
- * B/W hinting of TrueType fonts didn't work properly if
- interpreter version 38 or 40 was selected.
- * Some severe problems within the handling of TrueType Variation
- Fonts were found and fixed.
- * Function `FT_Set_Var_Design_Coordinates' didn't correctly handle
- the case with less input coordinates than axes.
- * By default, FreeType now offers high quality LCD-optimized
- output without resorting to ClearType techniques of resolution
- tripling and filtering. In this method, called Harmony, each
- color channel is generated separately after shifting the glyph
- outline, capitalizing on the fact that the color grids on LCD
- panels are shifted by a third of a pixel. This output is
- indistinguishable from ClearType with a light 3-tap filter.
- * Using the new function `FT_Get_Var_Axis_Flags', an application
- can access the `flags' field of a variation axis (introduced in
- OpenType version 1.8.2)
- * FreeType now synthesizes a missing Unicode cmap for (older)
- TrueType fonts also if glyph names are available.
- * The warping option has moved from `light' to `normal' hinting
- where it replaces the original hinting algorithm. The `light'
- mode is now always void of any hinting in x-direction.
-
-- Update to version 2.8
- * Support for OpenType Variation Fonts is now complete. The last
- missing part was handling the `VVAR' and `MVAR' tables, which is
- available with this release.
- * A new function `FT_Face_Properties' allows the control of some
- module and library properties per font. Currently, the
- following properties can be handled: stem darkening, LCD filter
- weights, and the random seed for the `random' CFF operator.
- * The PCF change to show more `colourful' family names (introduced
- in version 2.7.1) was too radical; it can now be configured with
- PCF_CONFIG_OPTION_LONG_FAMILY_NAMES at compile time. If
- activated, it can be switched off at run time with the new pcf
- property `no-long-family-names'. If the `FREETYPE_PROPERTIES'
- environment variable is available, you can say
- FREETYPE_PROPERTIES=pcf:no-long-family-names=1
- * Support for the following scripts has been added to the
- auto-hinter.
- Adlam, Avestan, Bamum, Buhid, Carian, Chakma, Coptic, Cypriot,
- Deseret, Glagolitic, Gothic, Kayah, Lisu, N'Ko, Ol Chiki, Old
- Turkic, Osage, Osmanya, Saurashtra, Shavian, Sundanese, Tai
- Viet, Tifinagh, Unified Canadian Syllabics, Vai
- * `Light' auto-hinting mode no longer uses TrueType metrics for
- TrueType fonts. This bug was introduced in version 2.4.6,
- causing horizontal scaling also. Almost all GNU/Linux
- distributions (with Fedora as a notable exception) disabled the
- corresponding patch for good reasons; chances are thus high that
- you won't notice a difference.
- * If a TrueType font gets loaded with FT_LOAD_NO_HINTING, FreeType
- now scales the font linearly again (bug introduced in version
- 2.4.6).
- * Fixed CVE-2017-8105, CVE-2017-8287: Older FreeType versions
- have out-of-bounds writes caused by heap-based buffer overflows
- related to Type 1 fonts. (boo#1035807, boo#1036457)
-- See https://sourceforge.net/projects/freetype/files/freetype2/2.8/ for
- the complete changelog.
-
-- Update to version 2.7.1:
- * IMPORTANT CHANGES
- + Support for the new CFF2 font format as introduced with
- OpenType 1.8 has been contributed by Dave Arnolds from Adobe.
- + Preliminary support for variation fonts as specified in
- OpenType 1.8 (in addition to the already existing support for
- Adobe's MM and Apple's GX formats). Dave Arnolds contributed
- handling of advance width change variation; more will come in
- the next version.
- * IMPORTANT BUG FIXES
- + Handling of raw CID fonts was partially broken (bug introduced
- in 2.6.4).
- * MISCELLANEOUS
- + Some limits for TrueType bytecode execution have been tightened
- to speed up FreeType's handling of malformed fonts, in
- particular to quickly abort endless loops.
- + The number of twilight points can no longer be set to an
- arbitrarily large value.
- + The total number of jump opcode instructions (like JMPR) with
- negative arguments is dynamically restricted; the same holds
- for the total number of iterations in LOOPCALL opcodes.
- + The dynamic limits are based on the number of points in a glyph
- and the number of CVT entries. Please report if you encounter a
- font where the selected values are not adequate.
- + PCF family names are made more `colourful'; they now include the
- foundry and information whether they contain wide characters.
- For example, you no longer get `Fixed' but rather `Sony Fixed'
- or `Misc Fixed Wide'.
- + A new function `FT_Get_Var_Blend_Coordinates' (with its alias
- name `FT_Get_MM_Blend_Coordinates') to retrieve the normalized
- blend coordinates of the currently selected variation instance
- has been added to the Multiple Masters interface.
- + A new function `FT_Get_Var_Design_Coordinates' to retrieve the
- design coordinates of the currently selected variation instance
- has been added to the Multiple Masters interface.
- + A new load flag `FT_LOAD_BITMAP_METRICS_ONLY' to retrieve bitmap
- information without loading the (embedded) bitmap itself.
- + Retrieving advance widths from bitmap strikes (using
- `FT_Get_Advance' and `FT_Get_Advances') have been sped up.
- + The usual round of fuzzer fixes to better reject malformed
- fonts.
-- Drop freetype2-bitmap-foundry.patch, merged upstream.
-
-- update to version 2.7:
- * IMPORTANT CHANGES
- + As announced earlier, the 2.7.x series now uses the new subpixel
- hinting mode as the default, emulating a modern version of
- ClearType.
- This change inevitably leads to different rendering results, and
- you might change the `TT_CONFIG_OPTION_SUBPIXEL_HINTING'
- configuration option to adapt it to your taste (or use the new
- `FREETYPE_PROPERTIES' environment variable). See the
- corresponding entry below for version 2.6.4, which gives more
- information.
- + A new option `FT_CONFIG_OPTION_ENVIRONMENT_PROPERTIES' has been
- introduced. If set (which is the default), an environment
- variable `FREETYPE_PROPERTIES' can be used to control driver
- properties. Example:
- FREETYPE_PROPERTIES=truetype:interpreter-version=35 \
- cff:no-stem-darkening=1 \
- autofitter:warping=1
- This allows to select, say, the subpixel hinting mode at runtime
- for a given application. See file `ftoption.h' for more.
- * IMPORTANT BUG FIXES
- + After loading a named instance of a GX variation font, the
- `face_index' value in the returned `FT_Face' structure now
- correctly holds the named instance index in the upper 16bits as
- documented.
- * MISCELLANEOUS
- + A new macro `FT_IS_NAMED_INSTANCE' to test whether a given face
- is a named instance.
- + More fixes to GX font handling.
- + Apple's `GETVARIATION' bytecode operator (needed for GX
- variation font support) has been implemented.
- + Another round of fuzzer fixes, mainly to reject invalid fonts
- faster.
- + Handling of raw CID fonts was broken (bug introduced in version
- 2.6.4).
- + The smooth rasterizer has been streamlined to make it faster by
- approx. 20%.
- + The `ftgrid' demo program now understands command line option
- `-d' to give start-up design coordinates.
- + The `ftdump' demo program has a new command line option `-p' to
- dump TrueType bytecode instructions.
-- removed freetype2-subpixel.patch in favor of above
- FREETYPE_PROPERTIES environment variable
-
-- Update to version 2.6.5:
- + Compilation works again on Mac OS X (bug introduced in version
- 2.6.4).
- + The new subpixel hinting mode is now disabled by default; it
- will be enabled by default in the forthcoming 2.7.x series.
- Main reason for reverting this feature is the principle of least
- surprise: a sudden change in appearance of all fonts (even if
- the rendering improves for almost all recent fonts) should not
- be expected in a new micro version of a series.
-- Rebase freetype2-subpixel.patch.
-
-- Upadte to version 2.6.4:
- * A new subpixel hinting mode, which is now the default rendering
- mode for TrueType fonts. It implements (almost everything of)
- version 40 of the bytecode engine. The existing code base in
- FreeType (the `Infinality code') was stripped to the bare
- minimum and all configurability removed in the name of speed
- and simplicity. The configurability was mainly aimed at legacy
- fonts like Arial, Times New Roman, or Courier. [Legacy fonts
- are fonts that modify vertical stems to achieve clean
- black-and-white bitmaps.] The new mode focuses on applying a
- minimal set of rules to all fonts indiscriminately so that
- modern and web fonts render well while legacy fonts render
- okay. Activation of the subpixel hinting support can be
- controlled with the `TT_CONFIG_OPTION_SUBPIXEL_HINTING'
- configuration option at compile time: If set to value 1, you
- get the old Infinality mode (which was never the default due to
- its slowness). Value 2 activates the new subpixel hinting mode,
- and value 3 activates both. The default is value 2. At run
- time, you can select the subpixel hinting mode with the
- `interpreter-version' property (provided you have compiled in
- the corresponding hinting mode); see `ftttdrv.h' for more.
- * Support for the following scripts has been added to the
- auto-hinter: Armenian, Cherokee, Ethiopic, Georgian, Gujarati,
- Gurmukhi, Malayalam, Sinhala, Tamil.
-- Rebase freetype2-subpixel.patch.
-
-- Update to version 2.6.3
- * IMPORTANT CHANGES
- - Khmer, Myanmar, Bengali, and Kannada script support has been
- added to the auto-hinter.
- * MISCELLANEOUS
- - Better support of Indic scripts like Devanagari by using a
- top-to-bottom hinting flow.
- - All FreeType macros starting with two underscores have been
- renamed to avoid a violation of both the C and C++ standards.
- Example: Header macros of the form `__FOO_H__' are now called
- `FOO_H_'. In most cases, this should be completely transparent
- to the user. The exception to this is `__FTERRORS_H__', which
- must be sometimes undefined by the user to get FreeType error
- strings: Both this form and the new `FTERRORS_H_' macro are
- accepted for backwards compatibility.
- - Minor improvements mainly to the Type 1 driver.
- - The new CFF engine now supports all Type 2 operators except
- `random'.
- - The macro `_STANDALONE_', used for compiling the B/W and smooth
- rasterizers as stand-alone modules, has been renamed to
- `STANDALONE_', since macro names starting with an underscore and
- followed by an uppercase letter are reserved in both C and C++.
- - Function `FT_Library_SetLcdFilterWeights' now also activates
- custom LCD filter weights (instead of just adjusting them).
- - Support for `unpatented hinting' has been completely removed:
- Consequently, the two functions `FT_Face_CheckTrueTypePatents'
- and `FT_Face_SetUnpatentedHinting' now return always false,
- doing nothing.
-
-- Update to version 2.6.2
- * IMPORTANT CHANGES
- - The auto-hinter now supports stem darkening, to be controlled by
- the new `no-stem-darkening' and `darkening-parameters'
- properties. This is an experimental feature contributed by
- Nikolaus Waxweiler, and the interface might change in a future
- release.
- - By default, stem darkening is now switched off (for both the CFF
- engine and the auto-hinter). The main reason is that you need
- linear alpha blending and gamma correction to get correct
- rendering results, and the latter is not yet available in most
- freely available rendering stacks like X11. Applying stem
- darkening without proper gamma correction leads to far too dark
- rendering results.
- - The meaning of `FT_RENDER_MODE_LIGHT' has been slightly
- modified. It now essentially means `no hinting along the
- horizontal axis'; in particular, no change of glyph advance
- widths. Consequently, the auto-hinter is used for all scalable
- font formats except for CFF. It is planned that other
- font-specific rendering engines (TrueType, Type 1) will follow.
- * MISCELLANEOUS
- - The default LCD filter has been changed to be normalized and
- color-balanced.
- - For better compatibility with FontConfig, function
- `FT_Library_SetLcdFilter' accepts a new enumeration value
- `FT_LCD_FILTER_LEGACY1' (which has the same meaning as
- `FT_LCD_FILTER_LEGACY').
- - A large number of bugs have been detected by using the libFuzzer
- framework, which should further improve handling of invalid
- fonts. Thanks again to Kostya Serebryany and Bungeman!
- - `TT_CONFIG_OPTION_MAX_RUNNABLE_OPCODES', a new configuration
- option, controls the maximum number of executed opcodes within a
- bytecode program. You don't want to change this except for very
- special situations (e.g., making a library fuzzer spend less
- time to handle broken fonts).
- - The smooth renderer has been made faster.
-
-- Update to version 2.6.1
- * IMPORTANT BUG FIXES
- - It turned out that for CFFs only the advance widths should be
- taken from the `htmx' table, not the side bearings. This bug,
- introduced in version 2.6.0, makes it necessary to upgrade if
- you are using CFFs; otherwise, you get cropped glyphs with GUI
- interfaces like GTK or Qt.
- - Accessing Type 42 fonts returned incorrect results if the glyph
- order of the embedded TrueType font differs from the glyph order
- of the Type 42 charstrings table.
- * IMPORTANT CHANGES
- - The header file layout has been changed (again), moving all
- header files except `ft2build.h' into a subdirectory tree.
- Doing so reduces the possibility of header file name clashes
- (e.g., FTGL's `FTGlyph.h' with FreeType's `ftglyph.h') on case
- insensitive file systems like Mac OS X or Windows.
- Applications that use (a) the `freetype-config' script or
- FreeType's `freetype2.pc' file for pkg-config to get the include
- directory for the compiler, and (b) the documented way for
- header inclusion like
- [#]include <ft2build.h>
- [#]include FT_FREETYPE_H
- ...
- don't need any change to the source code.
- - Simple access to named instances in GX variation fonts is now
- available (in addition to the previous method via FreeType's MM
- interface). In the `FT_Face' structure, bits 16-30 of the
- `face_index' field hold the current named instance index for the
- given face index, and bits 16-30 of `style_flags' contain the
- number of instances for the given face index. `FT_Open_Face'
- and friends also understand the extended bits of the face index
- parameter.
- You need to enable TT_CONFIG_OPTION_GX_VAR_SUPPORT for this new
- feature. Otherwise, bits 16-30 of the two fields are zero (or
- are ignored).
- - Lao script support has been added to the auto-hinter.
- * MISCELLANEOUS
- - The auto-hinter's Arabic script support has been enhanced.
- - Superscript-like and subscript-like glyphs as used by various
- phonetic alphabets like the IPA are now better supported by the
- auto-hinter.
- - The TrueType bytecode interpreter now runs slightly faster.
- - Improved support for builds with cmake.
- - The function `FT_CeilFix' now always rounds towards plus
- infinity.
- - The function `FT_FloorFix' now always rounds towards minus
- infinity.
- - A new load flag `FT_LOAD_COMPUTE_METRICS' has been added; it
- makes FreeType ignore pre-computed metrics, as needed by font
- validating or font editing programs. Right now, only the
- TrueType module supports it to ignore data from the `hdmx'
- table.
- - Another round of bug fixes to better handle broken fonts, found
- by Kostya Serebryany <kcc@google.com>.
-- Dropping upstreamed patch Dont-use-hmtx-table-for-LSB.patch.
-
-- Add Dont-use-hmtx-table-for-LSB.patch: Fixes gnu#45520, cut off
- fonts in gtk and qt. Taken from upstream git.
-
-- Update to version 2.6
- * Thread safety improvements
- * Thai script support has been added to the auto-hinter.
- * Arabic script support has been added to the auto-hinter.
- * Following OpenType version 1.7, advance widths and side bearing
- values in CFFs (wrapped in an SFNT structure) are now always
- taken from the `hmtx' table.
- * Following OpenType version 1.7, the PostScript font name of a
- CFF font (wrapped in an SFNT structure) is now always taken from
- the `name' table. This is also true for OpenType Collections
- (i.e., TTCs using CFFs subfonts instead of TTFs), where it may
- have a significant difference.
- * Fonts natively hinted for ClearType are now supported, properly
- handling selector index 3 of the INSTCTRL bytecode instruction.
- * Major improvements to the GX TrueType variation font handling.
-
-- Merge with the version 2.5.5 from openSUSE:Factory
-- Removed patches:
- * CVE-2014-9656.patch
- * CVE-2014-9657.patch
- * CVE-2014-9658.patch
- * CVE-2014-9659.patch
- * CVE-2014-9660.patch
- * CVE-2014-9661.patch
- * CVE-2014-9662.patch
- * CVE-2014-9663.patch
- * CVE-2014-9664.patch
- * CVE-2014-9665.patch
- * CVE-2014-9666.patch
- * CVE-2014-9667.patch
- * CVE-2014-9668.patch
- * CVE-2014-9669.patch
- * CVE-2014-9670.patch
- * CVE-2014-9671.patch
- * CVE-2014-9672.patch
- * CVE-2014-9673.patch
- * CVE-2014-9674.patch
- * CVE-2014-9675.patch
- - Integrated in the 2.5.5 release
-- Modified patches:
- * don-t-mark-libpng-as-required-library.patch
- * bugzilla-308961-cmex-workaround.patch
- * freetype2-subpixel.patch
- * freetype2-bitmap-foundry.patch
- * overflow.patch
- - Adapt to the new version of sources
-
-- Modified patch:
- * CVE-2014-9671.patch
- - Adapt the code to correspond to the current git master of
- freetype2 (fixes bsc#933247)
-
-- Enable the bz2 compression in freetype2
-- Remove patch overflow.patch from freetype2.spec where it is not
- applied.
-- Run spec-cleaner on the spec file.
-
-- fixed vulnerabilities (bnc#916847, bnc#916856, bnc#916857,
- bnc#916858, bnc#916859, bnc#916860, bnc#916861, bnc#916862,
- bnc#916863, bnc#916864, bnc#916865, bnc#916867, bnc#916868,
- bnc#916870, bnc#916871, bnc#916872, bnc#916873, bnc#916874,
- bnc#916879, bnc#916881)
- - CVE-2014-9656.patch
- - CVE-2014-9657.patch
- - CVE-2014-9658.patch
- - CVE-2014-9659.patch
- - CVE-2014-9660.patch
- - CVE-2014-9661.patch
- - CVE-2014-9662.patch
- - CVE-2014-9663.patch
- - CVE-2014-9664.patch
- - CVE-2014-9665.patch
- - CVE-2014-9666.patch
- - CVE-2014-9667.patch
- - CVE-2014-9668.patch
- - CVE-2014-9669.patch
- - CVE-2014-9670.patch
- - CVE-2014-9671.patch
- - CVE-2014-9672.patch
- - CVE-2014-9673.patch
- - CVE-2014-9674.patch
- - CVE-2014-9675.patch
-
-- Update to version 2.5.5
- * IMPORTANT BUG FIXES
- - Handling of uncompressed PCF files works again (bug
- introduced in version 2.5.4).
-- Drop freetype2-2.5.3-fix-pcf.patch, merged upstream
-
-- Update to version 2.5.4
- * IMPORTANT BUG FIXES
- - A variant of vulnerability CVE-2014-2240 was identified
- (cf. http://savannah.nongnu.org/bugs/?43661) and fixed
- in the new CFF driver. All users should upgrade.
- - The new auto-hinter code using HarfBuzz crashed for some
- invalid fonts.
- - Many fixes to better protect against malformed input.
- * IMPORTANT CHANGES
- - Full auto-hinter support of the Devanagari script.
- - Experimental auto-hinter support of the Telugu script.
- - CFF stem darkening behaviour can now be controlled at
- build time using the eight macros
- CFF_CONFIG_OPTION_DARKENING_PARAMETER_{X,Y}{1,2,3,4} .
- - Some fields in the `FT_Bitmap' structure have been changed
- from signed to unsigned type, which better reflects
- the actual usage. It is also an additional means to
- protect against malformed input. This change doesn't break
- the ABI; however, it might cause compiler warnings.
- * MISCELLANEOUS
- - Improvements to the auto-hinter's algorithm to recognize
- stems and local extrema.
- - Function `FT_Get_SubGlyph_Info' always returned an error
- even in case of success.
- - Version 2.5.1 introduced major bugs in the cjk part of
- the auto-hinter, which are now fixed.
- - The `FT_Sfnt_Tag' enumeration values have been changed to
- uppercase, e.g. `FT_SFNT_HEAD'. The lowercase variants
- are deprecated. This is for orthogonality with all other
- enumeration (and enumeration-like) values in FreeType.
- - `cmake' now supports builds of FreeType as an OS X framework
- and for iOS.
- - Improved project files for vc2010,
- introducing a property file
- - The documentation generator for the API reference has been
- updated to produce better HTML code (with proper CSS).
- At the same time, the documentation got a better structure.
- - The FT_LOAD_BITMAP_CROP flag is obsolete; it is not used
- by any driver.
- - The TrueType DELTAP[123] bytecode instructions now work in
- subpixel hinting mode as described in the ClearType
- whitepaper (i.e., for touched points in the
- non-subpixel direction).
- - Many small improvements to the internal arithmetic routines.
-- Rebase don-t-mark-libpng-as-required-library.patch,
- bugzilla-308961-cmex-workaround.patch, freetype2-subpixel.patch,
- freetype2-bitmap-foundry.patch and overflow.patch
-- Add freetype2-2.5.3-fix-pcf.patch from upstream to resolve
- http://savannah.nongnu.org/bugs/?43774, "Freetype 2.5.4 does not
- load ungzipped PCF fonts"
-
keyutils
-- Add /etc/keys/ and /usr/etc/keys/ directory (bsc#1187654)
-
-- adjust the library license to be LPGL-2.1+ only (the tools are GPL2+,
- the library is just LGPL-2.1+) (bsc#1180603)
-
-- update to 1.6.3:
- * Revert the change notifications that were using /dev/watch_queue.
- * Apply the change notifications that use pipe2(O_NOTIFICATION_PIPE).
- * Allow "keyctl supports" to retrieve raw capability data.
- * Allow "keyctl id" to turn a symbolic key ID into a numeric ID.
- * Allow "keyctl new_session" to name the keyring.
- * Allow "keyctl add/padd/etc." to take hex-encoded data.
- * Add "keyctl watch*" to expose kernel change notifications on keys.
- * Add caps for namespacing and notifications.
- * Set a default TTL on keys that upcall for name resolution.
- * Explicitly clear memory after it's held sensitive information.
- * Various manual page fixes.
- * Fix C++-related errors.
- * Add support for keyctl_move().
- * Add support for keyctl_capabilities().
- * Make key=val list optional for various public-key ops.
- * Fix system call signature for KEYCTL_PKEY_QUERY.
- * Fix 'keyctl pkey_query' argument passing.
- * Use keyctl_read_alloc() in dump_key_tree_aux().
- * Various manual page fixes.
-- spec-cleaner run (fixup failing homepage url)
-
-- prepare usrmerge (boo#1029961)
-
-- updated to 1.6
- - Apply various specfile cleanups from Fedora.
- - request-key: Provide a command line option to suppress helper execution.
- - request-key: Find least-wildcard match rather than first match.
- - Remove the dependency on MIT Kerberos.
- - Fix some error messages
- - keyctl_dh_compute.3: Suggest /proc/crypto for list of available hashes.
- - Fix doc and comment typos.
- - Add public key ops for encrypt, decrypt, sign and verify (needs linux-4.20).
- - Add pkg-config support for finding libkeyutils.
-- upstream isn't offering PGP signatures for the source tarballs anymore
-
-- Replace krb5-devel BuildRequires with pkgconfig(krb5): Allow OBS
- to shortcut the ring0 bootstrap cycle by also using krb5-mini.
-
-- add upstream signing key and verify source signature
-
-- updated to 1.5.11 (bsc#1113013)
- - Add keyring restriction support.
- - Add KDF support to the Diffie-Helman function.
- - DNS: Add support for AFS config files and SRV records
-
-- Use %license (boo#1082318)
-
-- add keyutils-devel for baselibs, to allow biarch LTP builds.
- (bsc#1061591)
-
-- updated to 1.5.10
- - added "dh_compute" callback
- - manpage improvements
-
-- move binaries from /bin to /usr/bin (bsc#1029969)
-- keyutils-usr-move.patch: also adjust the request-key.conf file
-
-- keyutils-nodate.patch: avoid including the timestamp. bsc#916180
-
libidn2
-- The library is actually dual licensed, GPL-2.0-or-later or LGPL-3.0-or-later,
- match factory licenses (bsc#1180138)
-
-- Update to version 2.2.0 CVE-2019-12290 bsc#1154884:
- * Perform A-Label roundtrip for lookup functions by default
- * Stricter check of input to punycode decoder
- * Fix punycode decoding with no ASCII chars but given delimiter
- * Fix 'idn2 --no-tr64' (was a no-op)
- * Allow _ as a basic code point in domain labels
- * Fail building documentation if 'ronn' isn't installed
- * git tag changed to reflect https://semver.org/
-
-- update to 2.1.1 CVE-2019-18224 bsc#1154887:
- * Revert SONAME bump from release 2.1.0
- * Fix NULL dereference in idn2_register_u8() and
- idn2_register_ul()
- * Fix free of random value in idn2_to_ascii_4i()
- * Improved fuzzer (which found the above issues)
- * Check for valid unicode input in punycode encoder
- * Avoid excessive CPU usage in punycode encoding with
- large inputs
- * Deprecate idn2_to_ascii_4i() in favor of idn2_to_ascii_4i2()
- * Restrict output length of idn2_to_ascii_4i() to 63 bytes
-
-- update to 2.1.0:
- * Two internal functions are no longer exposed, soname bump
- * Fix label length check for idn2_register_u8()
- * Add missing error messages to idn2_strerror_name()
-
-- update to 2.0.5:
- * Switch the default library behavior to IDNA2008 as amended by
- TR#46 (non-transitional). That default behavior is enabled when
- no flags are specified to function calls. Applications can
- utilize the %IDN2_NO_TR46 flag to switch to the unamended
- IDNA2008. This is done in the interest of interoperability
- based on the fact that this is what application writers care
- about rather than strict compliance with a particular protocol
- * Fixed memory leak in idn2_to_unicode_8zlz()
- * Return error (IDN2_ICONV_FAIL) on charset conversion errors
- * Fixed issue with STD3 rules applying in non-transitional TR46
- mode
- * idn2: added option --usestd3asciirules
-- put translations into libidn2-lang
-- correct location of install_info_prereq macro to be on tools
-
-- update to 2.0.4:
- * Fix integer overflow in bidi.c/_isBidi() bsc#1056451
- * Fix integer overflow in puny_decode.c/decode_digit()
- bsc#1056450
- * Fix idna_free() to idn_free()
-- enable documentation again
-
-- update to 2.0.3:
- * %IDN2_USE_STD3_ASCII_RULES disabled by default.
- Previously libidn2 was eliminating non-STD3 characters from
- domain strings such as _443._tcp.example.com, or IPs such as
- 1.2.3.4/24 provided to libidn2 functions. That was an
- unexpected regression for applications switching from libidn
- and thus it is no longer applied by default.
- Use %IDN2_USE_STD3_ASCII_RULES to enable that behavior again.
-- disable documentation, does not build correctly
-
-- update to 2.0.2:
- * Fix TR46 transitional mode
- * Fix several documentation issues
-
-- Sources updated from http://alpha.gnu.org to https://ftp.gnu.org
-
-- Update to version 2.0.1
-- Version 2.0.1 (released 2017-04-22)
- * idn2 utility now using IDNA2008 + TR46 by default
-- Version 2.0.0 (released 2017-03-29) [alpha]
- * Version numbering scheme changed
- * Added to ASCII conversion functions corresponding to libidn1
- functions:
- - idn2_to_ascii_4i - idn2_to_ascii_4z
- - idn2_to_ascii_8z - idn2_to_ascii_lz
- * Added to unicode conversion functions corresponding to libidn1
- functions:
- - idn2_to_unicode_8z4z - idn2_to_unicode_4z4z
- - idn2_to_unicode_44i - idn2_to_unicode_8z8z
- - idn2_to_unicode_8zlz - idn2_to_unicode_lzlz
- * Including idn2.h will provide libidn1 compatibility functions
- unless IDN2_SKIP_LIBIDN_COMPAT is defined. That allows converting
- applications from libidn1 (which offers IDNA2003) to libidn2 (which
- offers IDNA2008) by replacing idna.h to idn2.h in the applications'
- source.
-- Dropped patch not needed after revision
- * libidn2-no-examples-build.patch
-
-- Update to version 0.16
- * build: Fix idn2_cmd.h build rule.
- * API and ABI is backwards compatible with the previous version.
-- Update to version 0.15 (released 2017-01-14)
- * Fix out-of-bounds read.
- * Fix NFC input conversion (regression).
- * Shrink TR46 static mapping data.
- * API and ABI is backwards compatible with the previous version.
-- Update to version 0.14 (released 2016-12-30)
- * build: Fix gentr46map build.
- * API and ABI is backwards compatible with the previous version.
-- Update to version 0.13:
- * build: Doesn't download external files during build.
- * doc: Clarify license.
- * build: Generate ChangeLog file properly.
- * doc: API documentation related to TR46 flags.
- * API and ABI is backwards compatible with the previous version.
-- Update to version 0.12:
- * Builds/links with libunistring.
- * Fix two possible crashes with unchecked NULL pointers.
- * Memleak fix.
- * Binary search for codepoints in tables.
- * Do not taint output variable on error in idn2_register_u8().
- * Do not taint output variable on error in idn2_lookup_u8().
- * Update to Unicode 6.3.0 IDNA tables.
- * Add TR46 / UTS#46 support to API and idn2 utility.
- * Add NFC quick check.
- * Add make target 'check-coverage' for test coverage report.
- * Add tests to increase test code coverage.
- * API and ABI is backwards compatible with the previous version.
-
-- update to 0.11:
- * Fix stack underflow in 'idn2' command line tool. [boo#1014473]
- * Fix gdoc script to fix texinfo syntax error.
- * API and ABI is backwards compatible with the previous version.
-
-- Convert to libidn2 package started to being used, namely by curl
-- Alternative implementation based on new specification from 2008
- + completely different codebase with no ties to libidn
-
-- libidn 1.33:
- * bnc#990189 CVE-2015-8948 CVE-2016-6262
- * bnc#990190 CVE-2016-6261
- * bnc#990191 CVE-2016-6263
- * libidn: Fix out-of-bounds stack read in idna_to_ascii_4i.
- * idn: Solve out-of-bounds-read when reading one zero byte as input.
- * libidn: stringprep_utf8_nfkc_normalize reject invalid UTF-8.
-
-- Update to 1.32
- * libidn: Fix crash in idna_to_unicode_8z8z and
- idna_to_unicode_8zlz. This problem was introduced in 1.31.
- * API and ABI is backwards compatible with the previous version.
-- Update gpg keyring
-
-- Add Apache-2.0 license to the license line. Under this is the
- java code, but we don't build it -> just the sources license
-
-- Version bump to 1.31:
- * Fixes bnc#923241 CVE-2015-2059 out-of-bounds read with stringprep on
- invalid UTF-8
- * Few other triv changes
-
-- Version bump to 1.30:
- * punycode.{c,h} files were reimported
-- Cleanup with spec-cleaner
-
-- update version 1.29:
- * libidn: Mark internal variable "g_utf8_skip" as static.
- * idn: Flush stdout to simplify for tools that buffer too heavily.
- * i18n: Added Brazilian Portuguese translation.
- * Update gnulib files.
- * API and ABI is backwards compatible with the previous version.
-
libsndfile
-- Fix heap buffer overflow in flac_buffer_copy (CVE-2021-4156,
- bsc#1194006):
- libsndfile-CVE-2021-4156.patch
-
-- Fix heap buffer overflow vulnerability in msadpcm_decode_block
- (CVE-2021-3246, bsc#1188540):
- ms_adpcm-Fix-and-extend-size-checks.patch
-
-- Fix segfault in wav conversion due to the invalid loop count
- (CVE-2018-19758, bsc#1117954):
- libsndfile-wav-loop-count-fix.patch
-
-- Fix buffer overflow in sndfile-deinterleave, which isn't really a
- security issue (bsc#1100167, CVE-2018-13139, bsc#1116993,
- CVE-2018-19432):
- sndfile-deinterlace-channels-check.patch
-
-- Use license file tag
-
-- Fix potential overflow in d2alaw_array() (CVE-2017-17456,
- bsc#1071777):
- libsndfile-CVE-2017-17456-alaw-range-check.patch
-- Fix potential overflow in d2ulaw_array() (CVE-2017-17457,
- bsc#1071767):
- libsndfile-CVE-2017-17457-ulaw-range-check.patch
-
-- Fix VUL-0: divide-by-zero error exists in the function
- double64_init() in double64.c (CVE-2017-14634, bsc#1059911):
- 0030-double64_init-Check-psf-sf.channels-against-upper-bo.patch
-- Tentative fix for VUL-0: out of bounds read in the function
- d2alaw_array() in alaw.c (CVE-2017-14245, bsc#1059912) and
- VUL-0: out of bounds read in the function d2ulaw_array() in
- ulaw.c (CVE-2017-14246, bsc#1059913):
- 0031-sfe_copy_data_fp-check-value-of-max-variable.patch
-
-- Fix Heap-based Buffer Overflow in the psf_binheader_writef
- (CVE-2017-12562, bsc#1052476):
- 0020-src-common.c-Fix-heap-buffer-overflows-when-writing-.patch
-
-- Fix out-of-bounds read memory access in the aiff_read_chanmap()
- (CVE-2017-6892, bsc#1043978):
- 0010-src-aiff.c-Fix-a-buffer-read-overflow.patch
-
-- Fix FLAC buffer overflows (CVE-2017-8361 CVE-2017-8363
- CVE-2017-8365 CVE-2017-8362 bsc#1036944 bsc#1036945 bsc#1036946
- bsc#1036943):
- 0001-FLAC-Fix-a-buffer-read-overrun.patch
- 0002-src-flac.c-Fix-a-buffer-read-overflow.patch
-
-- Update to version 1.0.27:
- * Fix a seek regression in 1.0.26
- * Add metadata read/write for CAF and RF64
- * FIx PAF endian-ness issue
-- Update to version 1.0.28
- * Fix buffer overruns in FLAC and ID3 handling code
- (CVE-2017-7585, CVE-2017-7586, bsc#1033054, bsc#1033053)
- * Reduce default header memory requirements
- * Fix detection of Large File Support for 32 bit systems.
-- Obsoleted patch:
- libsndfile-psf_strlcpy_crlf-fix-CVE-2015-8075.patch
-
-- Fix spec file to enable builds on non opensuse OS
-
-- Update to version 1.0.26:
- * Fix for CVE-2014-9496, CVE-2014-9756 and CVE-2015-7805.
- * Add ALAC/CAF support. Minor bug fixes and improvements.
-- Refreshed patches:
- sndfile-ocloexec.patch
- libsndfile-psf_strlcpy_crlf-fix-CVE-2015-8075.patch
-- Removed obsoleted patches:
- libsndfile-example-fix.diff
- libsndfile-fix-header-read-CVE-2015-7805.patch
- libsndfile-paf-zero-division-fix.diff
- libsndfile-src-common.c-Fix-a-header-parsing-bug.patch
- libsndfile-src-file_io.c-Prevent-potential-divide-by-zero.patch
- sndfile-src-sd2.c-Fix-segfault-in-SD2-RSRC-parser.patch
- sndfile-src-sd2.c-Fix-two-potential-buffer-read-overflows.patch
-
-- VUL-0: libsndfile 1.0.25 heap overflow (CVE-2015-7805, bsc#953516)
- libsndfile-src-common.c-Fix-a-header-parsing-bug.patch
- libsndfile-fix-header-read-CVE-2015-7805.patch
-- VUL-0: libsndfile 1.0.25 heap overflow (CVE-2015-8075, bsc#953519)
- libsndfile-psf_strlcpy_crlf-fix-CVE-2015-8075.patch
-- Fix the build with SLE11-SP3 due to AM_SILENT_RULE macro
-
-- VUL-1: libsndfile DoS/divide-by-zero (CVE-2014-9756, bsc#953521):
- libsndfile-src-file_io.c-Prevent-potential-divide-by-zero.patch
-
-- Cleanup spec file with spec-cleaner
-- Add gpg signature
-- Remove old ppc provides/obsoletes
-
-- VUL-0: two buffer read overflows in sd2_parse_rsrc_fork()
- (CVE-2014-9496, bnc#911796): backported upstream fix patches
- sndfile-src-sd2.c-Fix-segfault-in-SD2-RSRC-parser.patch
- sndfile-src-sd2.c-Fix-two-potential-buffer-read-overflows.patch
-
libtirpc
-- check for nullpointer in check_address (bsc#1198176)
- update 0001-rpcb_clnt.c-config-to-try-protocolversion-2-first.patch
-
-- add option to enforce connection via protocol version 2 first
- (bsc#1196647)
- add 0001-rpcb_clnt.c-config-to-try-protocolversion-2-first.patch
-
-- Update to libtirpc 1.2.6
- - Drop patches all patches backported from this release
- (0001-Add-authdes_seccreate-stub.patch,
- 0001-Avoid-multiple-definiton-with-gcc-fno-common.patch)
-
-- Backport upstream fix daed7ee ("Avoid multiple-definiton with gcc -fno-common")
- to fix build error with gcc flag -fno-common (bsc#1160875).
- Tested on gcc-9 and gcc-10.
- 0001-Avoid-multiple-definiton-with-gcc-fno-common.patch
-
-- Skip unneeded autogen.sh run (configure is up-to-date), drop
- dependencies: libtool, autoconf
-- Replace krb5-mini-devel/krb5-devel with pkgconfig(krb5)
-
-- Update to libtirpc 1.2.5
- - A number resource leaks and other issues were fix which were identified
- by a Coverity Scan.
- - The AUTH_DES authentication has been deprecated. If any of those routines
- are called, they will fail immediately.
- - numerous bug fixes
-- Package changes:
- - Build without AUTH_DES authentication
- - Add patch from next release 0001-Add-authdes_seccreate-stub.patch
- (a86b4ff Add authdes_seccreate() stub)
- - Drop rc patches (libtirpc-1-1-5-rc1.patch, libtirpc-1-1-5-rc2.patch)
- - Drop patches all patches backported from this release
- (0001-Makefile.am-Use-LIBADD-instead-of-LDFLAGS-to-link-ag.patch,
- 0002-man-rpc_secure.3t-Fix-typo-in-manpage.patch,
- 0003-xdr-add-a-defensive-mask-in-xdr_int64_t-and-xdr_u_in.patch)
-
-- Fix previous version:
- - actually delete
- 0001-xdrstdio_create-buffers-do-not-output-encoded-values.patch
- - use 0001-Makefile.am-Use-LIBADD-instead-of-LDFLAGS-to-link-ag.patch
- - use 0002-man-rpc_secure.3t-Fix-typo-in-manpage.patch (renamed from
- 0003-man-rpc_secure.3t-Fix-typo-in-manpage.patch)
- - use 0003-xdr-add-a-defensive-mask-in-xdr_int64_t-and-xdr_u_in.patch
- (renamed from
- 0004-xdr-add-a-defensive-mask-in-xdr_int64_t-and-xdr_u_in.patch)
-
-- Updated to libtirpc 1.1.5 rc2 (this includes changes in 1.1.4 release)
- - add libtirpc-1-1-5-rc1.patch and libtirpc-1-1-5-rc2.patch to reflect
- upstream changes after 1.1.4 release
- - remove /etc/bindresvport.blacklist as it's still supported by glibc
- although it's not compiled with --enable-obsolete-rpc
-- Drop patches accepted in previous releases or not needed
- - 000-bindresvport_blacklist.patch (accepted in 5b037cc9, libtirpc 1.1.4)
- - 001-new-rpcbindsock-path.patch (not needed, rpcbind now uses /var/run directory)
- - 002-revert-binddynport.patch (fixed in 2802259, libtirpc-1-0-4-rc1)
- - 0001-Fix-regression-introduced-by-change-rpc-version-orde.patch
- (backport of 25d38d7, libtirpc-1-0-4-rc1)
- - 0001-xdrstdio_create-buffers-do-not-output-encoded-values.patch
- (backport of 145272c, libtirpc-1-0-4-rc2)
-- Add fixes from upcomming release
- - 0001-Makefile.am-Use-LIBADD-instead-of-LDFLAGS-to-link-ag.patch
- - 0003-man-rpc_secure.3t-Fix-typo-in-manpage.patch
- - 0004-xdr-add-a-defensive-mask-in-xdr_int64_t-and-xdr_u_in.patch
-
-- Fix SLES 15 - yp_bind_client_create_v3: RPC: Unknown host (bsc#1126096).
- - Add upstream patch
- 0001-xdrstdio_create-buffers-do-not-output-encoded-values.patch
-
-- fix socket leak introduced by change-rpc-protocol-version-order patch
- (bsc#1087925)
- - add 0001-Fix-regression-introduced-by-change-rpc-version-orde.patch
-
-- Revert binddynport changes as they break backward compatibility
- [brc#1562169].
- - add 002-revert-binddynport.patch
-
-- Remove ineffective --with-pic.
-
-- Update to libtirpc 1.0.3
- - clnt_dg_call: Fix a buffer overflow (CVE-2016-4429)
- - Avoid choosing reserved ports in legacy RPC APIs
- - rpcinfo: change order of version to be tried to 4, 3, 2
- - includes 003-rpc-types.patch
- - includes 004-replace-bzero-with-memset.patch
- - includes 005-missing-includes.patch
- - includes 011-Fix-typo-in-src-libtirpc.map-which-prevents-that-key.patch
- - includes decls.patch
-- Drop COPYING.GPLv2, GPLv2 code was removed from library
-
-- Adjust include directory [bsc#1083902]
-
-- Use %license (boo#1082318)
-
-- Move /usr/include/tirpc to /usr/include
-
-- Add COPYING.GPLv2 and install Licenses for GPLv2 code.
-
-- 005-missing-includes.patch: add missing includes to make headers
- compatible to sunrpc.
-
-- Update to version 1.0.2
- - 002-old-automake.patch: not needed anymore
- - 005-libtirpc-1.0.2-rc1.patch: dropped
- - 006-Remove-old-meanwhile-wrong-comment-about-FD_SETSIZE-.patch:
- removed, merged upstream
- - 007-Change-rtime-function-to-use-poll-instead-of-select.patch:
- removed, merged upstream
- - 008-Add-parameters-to-local-prototypes-to-fix-compiler-w.patch:
- removed, merged upstream
- - 009-makefd_xprt-checks-that-the-filedesriptor-is-lower-t.patch:
- removed, merged upstream
- - 010-The-goto-again-statement-was-an-left-over-from-the-p.patch:
- removed, merged upstream
- - 012-libtirpc-needs-rpcsvc-nis.h-for-compiling-but-does-n.patch:
- removed, merged upstream
- - 013-If-we-don-t-compile-in-YP-support-don-t-include-YP-h.patch:
- removed, merged upstream
- - 014-Add-des_crypt.c-and-des_impl.c-to-become-independent.patch:
- removed, merged upstream
- - 015-Fix-includes-to-compile-without-deprecated-glibc-fun.patch:
- removed, merged upstream
- - patch6_7.diff: obsolete
- - Replace explicit_bzero.patch with
- 004-replace-bzero-with-memset.patch from git
- - Rename libtirpc-new-path-rpcbindsock.patch to
- 001-new-rpcbindsock-path.patch
-
-- 003-rpc-types.patch: Add some typedefs to rpc/types.h to allow
- applications be compiled with -std=iso9899:1990
-
-- Rectify RPM groups and summaries,
- and update old macro/variable constructs.
-
-- decls.patch: fix missing declarations
-- explicit_bzero.patch: use explicit_bzero if available
-
-- Add some patches to get libtirpc compiled without needing glibc
- deprecated functions:
- - 015-Fix-includes-to-compile-without-deprecated-glibc-fun.patch
- - 014-Add-des_crypt.c-and-des_impl.c-to-become-independent.patch
- - 013-If-we-don-t-compile-in-YP-support-don-t-include-YP-h.patch
-- Add 012-libtirpc-needs-rpcsvc-nis.h-for-compiling-but-does-n.patch
- to allow bootstrapping of libtirpc without glibc sunrpc code or
- libnsl NIS+ code.
-
-- Add 011-Fix-typo-in-src-libtirpc.map-which-prevents-that-key.patch
- (fix export of key_secretkey_is_set)
-
-- Add the following patches to fix some bugs from the poll()
- port and an endless loop:
- - 006-Remove-old-meanwhile-wrong-comment-about-FD_SETSIZE-.patch
- - 007-Change-rtime-function-to-use-poll-instead-of-select.patch
- - 008-Add-parameters-to-local-prototypes-to-fix-compiler-w.patch
- - 009-makefd_xprt-checks-that-the-filedesriptor-is-lower-t.patch
- - 010-The-goto-again-statement-was-an-left-over-from-the-p.patch
-
-- Remove 004-netconfig-prefer-IPv6.patch for SLES12.
-- Remove libtirpc-getnetconfig-races.patch (was backport).
- [FATE#320393]
-
-- Split the netconfig configuration file and manual page off into
- an own RPM. Else it is not possible to install the old and new
- libtirpc libraries in parallel.
-
-- Update to libtirpc-1.0.1
- - new major soname
- - Adjust auth code to match other RPC implementations
- - Implement more gss auth stuff
- - use poll() instead of select() in svc_run()
- - Add more sunrpc compat functions
- - Sync compat headers with real functions
-- Drop 005-missing-symvers.patch (upstream)
-- Drop 006-memleak1.patch (upstream)
-- Drop 007-memleak2.patch (upstream)
-- Drop 008-fix-undef-ref.patch (upstream)
-- Drop 009-authdes_pk_create.patch (upstream)
-- Drop 010-xdr_sizeof.patch (upstream)
-- Drop 011-authdes_create.patch (upstream)
-- Drop 012-xp_sock.patch (upstream)
-- Drop 099-poll.patch (upstream)
-- Drop libtirpc-xdr-header.patch (was backport)
-- Add 005-libtirpc-1.0.2-rc1.patch (fixes deadlock)
-
-- Fix public xdr.h header - xdr_rpcvers() were broken (bsc#902439)
- Added: libtirpc-xdr-header.patch
-
-- Update 099-poll.patch with newest version send upstream.
-
-- Add 099-poll.patch: change svc_run from select() to poll().
-
-- Add 012-xp_sock.patch: add sunrpc compatibility define
-
-- Update 009-authdes_pk_create.patch (fix syncaddr handling)
-- Add 011-authdes_create.patch (fix syncaddr handling)
-
-- Add 010-xdr_sizeof.patch (enable xdr_sizeof)
-
-- Add 009-authdes_pk_create.patch (missing SunRPC compat function)
-
-- Add 008-fix-undef-ref.patch to fix a undefined reference bug
-
-- Update to version 0.3.2 (bring authdes back)
-- Remove 005-no_IPv6_for_old_code.patch (accepted upstream)
-- Remove 001-tirpc-features.patch (obsolete)
-- Add 005-missing-symvers.patch (fix missing, new symbols)
-- Add 006-memleak1.patch (fix memory leak)
-- Add 007-memleak2.patch (fix memory leak)
-
-- Remove krb5-devel from -devel requires, not needed anymore
-
-- Update to libtirpc 0.3.1, which incorporates the following
- patches:
- - 011-gssapi-update1.patch
- - 012-gssapi-update2.patch
- - 013-gssapi-update3.patch
- - 014-gssapi-update4.patch
- - 015-gssapi-update5.patch
- - 016-gssapi-update6.patch
- - 017-gssapi-update7.patch
- - 018-gssapi-update8.patch
- Not needed anymore:
- - 007-fix-tirpc_map.patch
- Adjusted:
- - 001-tirpc-features.patch, merged with 006-rework-features.diff
- - 002-old-automake.patch
-
-- 007-fix-tirpc_map.patch: fix symbol version for new global names
-
-- 006-rework-features.diff: Adjust for set of gssapi patches
-- 003-fix-gssapi.patch replaced by 011-gssapi-update1.patch
-- 012-gssapi-update2.patch: fix krb5-config usage
-- 013-gssapi-update3.patch: check for gssapi.h
-- 014-gssapi-update4.patch: don't include rpcsec_gss.h
-- 015-gssapi-update5.patch: don't install GSSAPI files if disabled
-- 016-gssapi-update6.patch: fix rpc_gss_seccreate
-- 017-gssapi-update7.patch: officialy export two internal functions
-- 018-gssapi-update8.patch: don't use glibc special header files
-
-- 003-fix-gssapi.patch: Correct fix for GSS ABI breakage
-- 005-no_IPv6_for_old_code.patch: Update comment
-- 006-rework-features.diff: Rework tirpc-features.h
-
-- 003-fix-gssapi.patch: Update, one chunk did go lost
-
-- 001-tirpc-features.patch: update with official git version
-- 002-old-automake.patch: re-add for SLES11
-- 003-fix-gssapi.patch: try to fix the disable-gssapi option correct
-
-- Fix HAVE_AUTHDES/HAVE_GSSAPI in public header files
- (001-tirpc-features.patch)
-
-- Update to official release 0.3.0. authdes was disabled by default
- upstream.
-- Following patches were merged:
- - 001-symbol-versions-v5.patch
- - 003-add-des_crypt.diff
-- Remove 002-old-automake.patch, not needed anymore
-
-- Update 001-symbol-versions-v4.patch with
- 001-symbol-versions-v5.patch: Add --disable-symvers option
-
-- Update 003-add-des_crypt.diff, fix unresolved des functions
-
-- Update to git
-- Add 003-add-des_crypt.diff to fix unresolved *_crypt() functions
-
-- Disable gssapi for SLE11, kerberos version is too old
-
-- rpc/rpc.h requires now indirectly gssapi.h from krb5-devel
-
-- Update to current git.
-- The following patches were accepted upstream:
- - 003-xdr_h-fix.patch
- - 005-disable-rpcent.patch
- - 006-no-libnsl.patch
- - patch1_7.diff
- - patch2_7.diff
- - patch3_7.diff
-- patch7_7.diff: removed, rejected upstream
-- 001-symbol-versions-v3.patch: replace with 001-symbol-versions-v4.patch
-
-- Add the following patches from the libtirpc-devel mailing list:
- - patch1_7.diff (remove wrong config.h.in)
- - patch2_7.diff (fix function name of yp_check)
- - patch3_7.diff (make sure config.h is included)
- - patch6_7.diff (use getaddrinfo in getrpcport)
- - patch7_7.diff (remove prototypes from headers we don't supply)
-
-- Add following patches:
- - 003-xdr_h-fix.patch (fix wrong defines using xdr_u_int32)
- - 005-disable-rpcent.patch (use rpcent functions from glibc)
- - 006-no-libnsl.patch (don't link against libnsl)
-
-- Update to 0.2.5.git from 20150423
- - following patches are accepted upstream:
- - 003-rpc_broadcast_misformed_replies.patch
- - libtirpc-misc-segfaults.patch
- - replace 001-symbol-versions-v2.patch with
- 001-symbol-versions-v3.patch
- - enable symbol versioning patch
-
-- Fix race conditions in getnetconfig (bsc#899576, bsc#882973)
- Added: libtirpc-getnetconfig-races.patch
-
-- 004-netconfig-prefer-IPv6.patch: Prever IPv6 over IPv4 (configured
- in /etc/netconfig)
-
-- 002-old-automake.patch: make buildable on old systems
-
-- Update to 0.2.5.git from 20141217
- - following patches are accepted upstream:
- - 002-clnt_broadcast_fix.patch
- - 004-getpmaphandle.patch
- - libtirpc-clntunix_create.patch
- - libtirpc-getbroadifs-crash.patch
- - libtirpc-taddr2uaddr-local.patch
-
-- Update to upstream 0.2.5 release
-- Add symbol versioning to fix symbol conflicts
- (001-symbol-versions-v2.patch), but disable until commited upstream
-- Adjust libtirpc-clnt_broadcast_fix.patch and rename to
- 002-clnt_broadcast_fix.patch
-- Adjust libtirpc-rpc_broadcast_misformed_replies.patch and rename
- to 003-rpc_broadcast_misformed_replies.patch
-- Rename libtirpc-getpmaphandle.patch to 004-getpmaphandle.patch
-- Adjust libtirpc-bindresvport_blacklist.patch and rename to
- 000-bindresvport_blacklist.patch
-- Drop libtirpc-pmap-setunset.patch, not needed anymore
-- Apply libtirpc-new-path-rpcbindsock.patch only on openSUSE 13.1
- and later
-
perl-Image-ExifTool
+- Update to version 12.42:
+ * Added support for reading maker notes from Panasonic DC-GH6 videos
+ * Added conversion for Samsung MCCData
+ * Added a new Nikon LensID (thanks Chris)
+ * Added a few new Canon LensType values
+ * Added a couple of new Olympus StackedImage values (thanks Eberhard)
+ * Added a few new values for some Nikon Settings tags (thanks Warren Hatch)
+ * Added a "lang:" element to the -json output for alternate language tags when -D, -H or -t is used
+ * Update DNG writer to not issue an error when writing DNG 1.6 files
+ * Decode information from DJI "ae_dbg_info" maker notes
+ * Decode Olympus AISubjectTrackingMode
+ * Changed ExifTool FileSize print conversion to use kB/MB/GB units instead of KiB/MiB/GiB
+ * Changed "is not shiftable" warning to appear in -v (instead of just -v3) output
+ * Patched to allow PDF Encrypt object to be "null"
+ * Fixed bug reading ICC_Profile 'meta' tags
+
+- update to version 12.41:
+ * Added support for "OM SYSTEM" maker notes
+ * Added 2 new Sony LensType values (thanks Jos Roost)
+ * Added some new Canon lenses (thanks LibRaw)
+ * Added a new Nikon LensID (thanks Bert Ligtvoet)
+ * Added a new Canon ContinuousDrive value (thanks Wolfgang Gulcker)
+ * Enhanced -v0 option to also print new file name when renaming, moving or
+ copying a file
+ * Updated xmp2exif.args and exif2xmp.args helper files to reflect the IPTC
+ Photometadata Mapping Guidelines version 2202.1
+ * Made "Invalid Xxx data" a minor warning for MakerNote data
+ * Patched to allow writing of MP4 videos which have other tracks with a
+ missing sample description entry
+ * Patched MacOS version to specify directory for external utilities (setfile,
+ xattr, stat, mdls and osascript from /usr/bin, and tag from /usr/local/bin)
+ * Fixed long-standing problem where Windows version could behave differently
+ for -if conditions containing undefined tags
+ * Fixed problem where -W+! combined with -j or -X produced invalid JSON or XML
+ when processing multiple files
+ * Fixed potential "uninitialized value $time in division" runtime warning when
+ reading MP4 videos
+ * Added PageCount tag to return the number of pages in a multi-page TIFF
+ * Added a new Nikon LensID (thanks Wolfgang Exler)
+ * Added a few more Sony LensTypes (thanks Jos Roost)
+ * Decode some new Canon tags (thanks Mark Reid)
+ * Decode another Nikon Z9 tag (thanks Warren Hatch)
+ * Decode Nikon NKSC GPSImgDirection (thanks Olaf)
+ * Improved handling of empty XMP structures in lists
+ * Tolerate leading UTF-8 BOM in -geotag log files
+ * Updated photoshop_paths.config to include WorkingPath
+ * Patched to allow writing of MP4 videos which have url tracks with a missing
+ sample description entry
+ * Fixed deep recursion error when reading multi-page TIFF images with more
+ than 100 pages
+ * Fixed potential deep recursion runtime error when writing nested XMP
+ structures
+ * Fixed warning which could be generated when writing new
+ Composite:GPSCoordinates tag
+ * Fixed description of GPR (General Purpose RAW) file type
+ * Fixed typo in the name of a new Nikon tag (thanks Herb)
+
+- update to version 12.39 - not CPAN released
+ For changes in version 12.31 to 12.39 see Changes file
+- fixes CVE-2022-23935 security issue
+