Releases: github/cmark-gfm
0.29.0.gfm.13
Changes since last release (0.29.0.gfm.12...0.29.0.gfm.13):
0.29.0.gfm.12
Changes since last release (0.29.0.gfm.11...0.29.0.gfm.12):
- Fixed polynomial time complexity issues per GHSA-w4qg-3vf7-m9x5
- Added CodeQL project integration (#337)
- Addressed const qualifier discard compiler warnings (#330, #331)
0.29.0.gfm.11
Changes since last release (0.29.0.gfm.10...0.29.0.gfm.11):
NOTE: this is a re-release of 0.11 due to missing a version/Changelog PR
- Improved fixes for polynomial time complexity issues per GHSA-66g8-4hjf-77xh (#323, #324)
- Added fuzzing target for bracketed patterns (#318)
- Fixed bug in list numbering introduced in 763587e (#322) which caused list numbers to increment by 2
- Fixed strict prototype clang warning (#310)
- Fixed regression test (#312)
- Added additional output formats to quadratic fuzzer (#327)
- Fixed buffer overflow in fuzzing harness (#326)
Note: these changes may lead to minor changes in expected output on plaintext rendering of list items. Notably, blank lines may no longer delineate the start of a list when rendering to plaintext due to changes in how the tight list status is calculated.
0.29.0.gfm.10
Changes since last release (0.29.0.gfm.9...0.29.0.gfm.10):
- Fixed polynomial time complexity issue per
GHSA-r8vr-c48j-fcc5 - Fixed polynomial time complexity issues per
GHSA-66g8-4hjf-77xh
Note: these changes remove redundant bold tag nesting which may result
in existing rendering tests failing, e.g. rendering ____bold____ to html
will no longer yield <p><strong><strong>bold</strong></strong></p>.
0.29.0.gfm.9
Changes since last release (0.29.0.gfm.8...0.29.0.gfm.9):
Code was tidied:
- Use of a private header was cleaned up #248
- Man page was update #255
- Warnings for
-Wstrict-prototypeswere cleaned up #285 - We avoid header duplication #289
New functionality:
- We now store positioning info for
url_match#201 - We now expose
cmark_parent_footnote_deffor non-C renderers #254 - Footnote
aria-labeltext now reference the specific footnote backref, and we include adata-footnote-backref-idxattribute so the label can be internationalized in a downstream filter #307
0.29.0.gfm.8
eb32891
anticomputer
Bas Alberts
Changes since last release (0.29.0.gfm.7...0.29.0.gfm.8):
0.29.0.gfm.7
57d5e09
anticomputer
Bas Alberts
Changes since last release (0.29.0.gfm.6...0.29.0.gfm.7):
- Fixed CVE-2023-22486, a polynomial time complexity issue in cmark-gfm which may lead to unbounded resource exhaustion and subsequent denial of service.
- Fixed CVE-2023-22485, in which a crafted markdown document could trigger an out-of-bounds read in the validate_protocol function.
- Fixed CVE-2023-22484, a polynomial time complexity issue in cmark-gfm which may lead to unbounded resource exhaustion and subsequent denial of service.
- Fixed CVE-2023-22483, several polynomial time complexity issues in cmark-gfm which may lead to unbounded resource exhaustion and subsequent denial of service.
- We removed an unneeded .DS_Store file (#291)
- We added a test for domains with underscores and fix roundtrip behavior (#292)
- We now use an up-to-date clang-format (#294)
- We made a variety of implicit integer truncations explicit by moving to size_t as our standard size integer type (#302)
- We introduced a new flag mechanism that is used in cmark node state management, which requires clients call the
cmark_init_standard_node_flagsfunction at program startup (420c20a)
The security issues were reported and resolved by @kevinbackhouse and @philipturnbull of the GitHub Security Lab
Contributors
Assets 2
0.29.0.gfm.6
Changes since last release (0.29.0.gfm.5...0.29.0.gfm.6):
- Fixed polynomial time complexity DoS vulnerability in autolink extension per GHSA-cgh3-p57x-9q7q
0.29.0.gfm.5
Changes since last release (0.29.0.gfm.4...0.29.0.gfm.5):
- Added
xmpp:andmailto:support to the autolink extension
0.29.0.gfm.4
Changes since last release (0.29.0.gfm.3...0.29.0.gfm.4):
- Remove
sourcefrom list of HTML block elements per commonmark/commonmark-spec#710