Log Message:
expat: updated to 2.6.0

Release 2.6.0 Tue February 6 2024
    Security fixes:
  * *  CVE-2023-52425 -- Fix quadratic runtime issues with big tokens
               that can cause denial of service, in partial where
               dealing with compressed XML input.  Applications
               that parsed a document in one go -- a single call to
               functions XML_Parse or XML_ParseBuffer -- were not affected.
               The smaller the chunks/buffers you use for parsing
               previously, the bigger the problem prior to the fix.
               Backporters should be careful to no omit parts of
               pull request * and to include earlier pull request *,
               in order to not break the fix.
       *  CVE-2023-52426 -- Fix billion laughs attacks for users
               compiling *without* XML_DTD defined (which is not common).
               Users with XML_DTD defined have been protected since
               Expat >=2.4.0 (and that was CVE-2013-0340 back then).

    Bug fixes:
        *  Fix parse-size-dependent "invalid token" error for
                external entities that start with a byte order mark
        *  Fix NULL pointer dereference in setContext via
                XML_ExternalEntityParserCreate for compilation with
                XML_DTD undefined
   * *  Protect against closing entities out of order

    Other changes:
        *  Improve support for arc4random/arc4random_buf
   * *  Improve buffer growth in XML_GetBuffer and XML_Parse
   * *  xmlwf: Support --help and --version
   * *  xmlwf: Support custom buffer size for XML_GetBuffer and read
        *  xmlwf: Improve language and URL clickability in help output
        *  examples: Add new example "element_declarations.c"
        *  Be stricter about macro XML_CONTEXT_BYTES at build time
        *  Make inclusion to expat_config.h consistent
   * *  Autotools: configure.ac: Support --disable-maintainer-mode
* * ..
  * * *  Autotools: Sync CMake templates with CMake 3.26
        *  Autotools: Make installation of shipped man page doc/xmlwf.1
                independent of docbook2man availability
        *  Autotools|CMake: Add missing -DXML_STATIC to pkg-config file
                section "Cflags.private" in order to fix compilation
                against static libexpat using pkg-config on Windows
   * *  Autotools|CMake: Require a C99 compiler
                (a de-facto requirement already since Expat 2.2.2 of 2017)
        *  Autotools|CMake: Fix PACKAGE_BUGREPORT variable
   * *  Autotools|CMake: Make test suite require a C++11 compiler
        *  CMake: Require CMake >=3.5.0
        *  CMake: Lowercase off_t and size_t to help a bug in Meson
        *  CMake: Sort xmlwf sources alphabetically
        *  CMake|Windows: Fix generation of DLL file version info
        *  CMake: Build tests/benchmark/benchmark.c as well for
                a build with -DEXPAT_BUILD_TESTS=ON
   * *  docs: Document the importance of isFinal + adjust tests
                accordingly
        *  docs: Improve use of "NULL" and "null"
        *  docs: Be specific about version of XML (XML 1.0r4)
                and version of C (C99); (XML 1.0r5 will need a sponsor.)
        *  docs: reference.html: Promote function XML_ParseBuffer more
        *  docs: reference.html: Add HTML anchors to XML_* macros
        *  docs: reference.html: Upgrade to OK.css 1.2.0
   * *  docs: Fix typos
        *  docs|CI: Use HTTPS URLs instead of HTTP at various places
* * ..
* * ..
   * *  Address compiler warnings
   * *  Address clang-tidy warnings
   * *  Version info bumped from 9:10:8 (libexpat*.so.1.8.10)
                to 10:0:9 (libexpat*.so.1.9.0); see https://verbump.de/
                for what these numbers do

    Infrastructure:
   * *  docs: Document security policy in file SECURITY.md
        *  docs: Improve parse buffer variables in-code documentation
* * ..
* * ..
  * * *  Refactor coverage and conformance tests
   * *  Refactor debug level variables to unsigned long
        *  Improve handling of empty environment variable value
                in function getDebugLevel (without visible user effect)
* * ..
* * ..
   * *  tests: Improve test coverage with regard to parse chunk size
  * * *  Fuzzing: Improve fuzzing coverage
   * *  Fuzzing|CI: Start running OSS-Fuzz fuzzing regression tests
   * *  CI: Resolve some Travis CI leftovers
        *  CI: Be robust towards absence of Git tags
   * *  CI: Set permissions to "contents: read" for security
        *  CI: Pin all GitHub Actions to specific commits for security
        *  CI: Reject spelling errors using codespell
        *  CI: Enforce clang-tidy clean code
* * ..
   * *  CI: Upgrade Clang from 15 to 18
        *  CI: Start using Clang's Control Flow Integrity sanitizer
  * * *  CI: Adapt to breaking changes in GitHub Actions Ubuntu images
        *  CI: Adapt to breaking changes in Clang/LLVM Debian packaging
        *  CI: Adapt to breaking changes in codespell
        *  CI: Adapt to breaking changes in Cppcheck