expat: upgrade 2.7.4 -> 2.7.5

Message ID	20260322132219.11230-1-peter.marko@siemens.com
State	New
Headers	show Return-Path: <peter.marko@siemens.com> ip: 185.136.64.226, mailfrom: fm-256628-2026032213220549c4919a530002079f-6f67qr@rts-flowmailer.siemens.com) From: Peter Marko <peter.marko@siemens.com> To: openembedded-core@lists.openembedded.org Cc: Peter Marko <peter.marko@siemens.com> Subject: [PATCH] expat: upgrade 2.7.4 -> 2.7.5 Date: Sun, 22 Mar 2026 14:22:19 +0100 Message-Id: <20260322132219.11230-1-peter.marko@siemens.com> MIME-Version: 1.0 Content-Transfer-Encoding: 8bit Feedback-ID: 519:519-256628:519-21489:flowmailer
Series	expat: upgrade 2.7.4 -> 2.7.5 \| expand expat: upgrade 2.7.4 -> 2.7.5

Message ID

20260322132219.11230-1-peter.marko@siemens.com

State

New

Headers

From: Peter Marko <peter.marko@siemens.com>
To: openembedded-core@lists.openembedded.org
Cc: Peter Marko <peter.marko@siemens.com>
Subject: [PATCH] expat: upgrade 2.7.4 -> 2.7.5
Date: Sun, 22 Mar 2026 14:22:19 +0100
Message-Id: <20260322132219.11230-1-peter.marko@siemens.com>
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
Feedback-ID: 519:519-256628:519-21489:flowmailer

Series

expat: upgrade 2.7.4 -> 2.7.5 | expand

Commit Message

Peter Marko March 22, 2026, 1:22 p.m. UTC

From: Peter Marko <peter.marko@siemens.com>

Release information [1]

Release 2.7.5 Tue March 17 2026
        Security fixes:
           #1158  CVE-2026-32776 -- Fix NULL function pointer dereference for
                    empty external parameter entities; it takes use of both
                    functions XML_ExternalEntityParserCreate and
                    XML_SetParamEntityParsing for an application to be
                    vulnerable.
     #1161 #1162  CVE-2026-32777 -- Protect from XML_TOK_INSTANCE_START
                    infinite loop in function entityValueProcessor; it takes
                    use of both functions XML_ExternalEntityParserCreate and
                    XML_SetParamEntityParsing for an application to be
                    vulnerable.
           #1163  CVE-2026-32778 -- Fix NULL dereference in function setContext
                    on retry after an earlier ouf-of-memory condition; it takes
                    use of function XML_ParserCreateNS or XML_ParserCreate_MM
                    for an application to be vulnerable.
           #1160  Three more unfixed vulnerabilities left

        Other changes:
     #1146 #1147  Autotools: Fix condition for symbol versioning check, in
                    particular when compiling with slibtool (not libtool)
           #1156  Address Cppcheck >=2.20.0 warnings
           #1153  tests: Make test_buffer_can_grow_to_max work for MinGW on
                    Ubuntu 24.04
     #1157 #1159  Version info bumped from 12:2:11 (libexpat*.so.1.11.2)
                    to 12:3:11 (libexpat*.so.1.11.3); see https://verbump.de/
                    for what these numbers do

[1] https://github.com/libexpat/libexpat/blob/R_2_7_5/expat/Changes

Signed-off-by: Peter Marko <peter.marko@siemens.com>
---
 meta/recipes-core/expat/{expat_2.7.4.bb => expat_2.7.5.bb} | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)
 rename meta/recipes-core/expat/{expat_2.7.4.bb => expat_2.7.5.bb} (92%)

diff --git a/meta/recipes-core/expat/expat_2.7.4.bb b/meta/recipes-core/expat/expat_2.7.5.bb
similarity index 92%
rename from meta/recipes-core/expat/expat_2.7.4.bb
rename to meta/recipes-core/expat/expat_2.7.5.bb
index 95a1ed52c4..4f2578292d 100644
--- a/meta/recipes-core/expat/expat_2.7.4.bb
+++ b/meta/recipes-core/expat/expat_2.7.5.bb
@@ -15,7 +15,7 @@  SRC_URI = "${GITHUB_BASE_URI}/download/R_${VERSION_TAG}/expat-${PV}.tar.bz2  \
 GITHUB_BASE_URI = "https://github.com/libexpat/libexpat/releases/"
 UPSTREAM_CHECK_REGEX = "releases/tag/R_(?P<pver>.+)"
 
-SRC_URI[sha256sum] = "e6af11b01e32e5ef64906a5cca8809eabc4beb7ff2f9a0e6aabbd42e825135d0"
+SRC_URI[sha256sum] = "386a423d40580f1e392e8b512b7635cac5083fe0631961e74e036b0a7a830d77"
 
 EXTRA_OECMAKE:class-native += "-DEXPAT_BUILD_DOCS=OFF"

expat: upgrade 2.7.4 -> 2.7.5

Commit Message

Patch