From ba1fc202c135b3e2e8f413a7b2d4b35398f6fb95 Mon Sep 17 00:00:00 2001
From: Sebastian Pipping <sebastian@pipping.org>
Date: Thu, 25 May 2017 19:28:15 +0200
Subject: [PATCH] Changes: Mention use of high quality entropy sources

---
 expat/Changes | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/expat/Changes b/expat/Changes
index 623327ef..11cc24bf 100644
--- a/expat/Changes
+++ b/expat/Changes
@@ -2,6 +2,11 @@ Release ??????????
         Security fixes:
                   CVE-2016-9063 -- Detect integer overflow
              #25  More integer overflow detection (function poolGrow)
+                  Use high quality entropy for hash initialization:
+                    * arc4random_buf on BSD, systems with libbsd, CloudABI
+                    * RtlGenRandom on Windows XP / Server 2003 and later
+                    * getrandom on glic 2.25+ Linux 3.17+
+                  In a way, that's still part of CVE-2016-5300.
 
         Bug fixes:
             #539  Fix regression from fix to CVE-2016-0718 cutting off