From 3f2f8786623cc3e89a1f4384715b3ad178c5ee2c Mon Sep 17 00:00:00 2001
From: Sebastian Pipping <sebastian@pipping.org>
Date: Mon, 19 Apr 2021 15:08:17 +0200
Subject: [PATCH] Changes: Document protection against billion laughs attacks

---
 Changes | 34 ++++++++++++++++++++++++++++++++++
 1 file changed, 34 insertions(+)

diff --git a/Changes b/Changes
index 2ecc8a0..a435999 100644
--- a/Changes
+++ b/Changes
@@ -3,10 +3,39 @@ NOTE: We are looking for help with a few things:
       If you can help, please get in touch.  Thanks!
 
 Release 2.2.9 Wed Septemper 25 2019
+        Security fixes:
+        #34 #466  CVE-2013-0340/CWE-776 -- Protect against billion laughs attacks
+                    (denial-of-service; flavors targeting CPU time or RAM or both,
+                    leveraging general entities or parameter entities or both)
+                    by tracking and limiting the input amplification factor
+                    (<amplification> := (<direct> + <indirect>) / <direct>).
+                    By conservative default, amplification up to a factor of 100.0
+                    is tolerated and rejection only starts after 8 MiB of output bytes
+                    (=<direct> + <indirect>) have been processed.
+                    A new error code XML_ERROR_AMPLIFICATION_LIMIT_BREACH signals
+                    this condition.
+
         Bug fixes:
        #390 #395  Fix undefined behavior during parsing when compiled with
                     -DXML_UNICODE that was introduced with Expat 2.0.1
 
+        New features:
+        #34 #466  Add two new API functions to further tighten billion laughs
+                    protection parameters when desired.
+                    - XML_SetBillionLaughsAttackProtectionMaximumAmplification
+                    - XML_SetBillionLaughsAttackProtectionActivationThreshold
+                    Please see file "doc/reference.html" for more details.
+                    If you ever need to increase the defaults for non-attack XML
+                    payload, please file a bug report with libexpat.
+        #34 #466  Introduce environment switches EXPAT_ACCOUNTING_DEBUG=(0|1|2|3)
+                    and EXPAT_ENTITY_DEBUG=(0|1) for runtime debugging of accounting
+                    and entity processing; specific behavior of these values may
+                    change in the future.
+        #34 #466  xmlwf: Add arguments "-a FACTOR" and "-b BYTES" to further tighten
+                    billion laughs protection parameters when desired.
+                    If you ever need to increase the defaults for non-attack XML
+                    payload, please file a bug report with libexpat.
+
         Other changes:
                   examples: Drop executable bits from elements.c
             #349  Windows: Change the name of the Windows DLLs from expat*.dll
@@ -20,6 +49,11 @@ Release 2.2.9 Wed Septemper 25 2019
 
         Special thanks to:
             Ben Wagner
+            Nick Wellnhofer
+            Yury Gribov
+                 and
+            Clang LeakSan
+            JetBrains
 
 Release 2.2.8 Fri Septemper 13 2019
         Security fixes:
-- 
1.8.3.1