Summary: | dev-haskell/hexpat[bundled-expat] uses vulnerable Expat 2.2.1 | ||
---|---|---|---|
Product: | Gentoo Linux | Reporter: | Sebastian Pipping <sping> |
Component: | Current packages | Assignee: | Gentoo's Haskell Language team <haskell> |
Status: | RESOLVED FIXED | ||
Severity: | normal | CC: | esigra, proxy-maint, sam, security |
Priority: | Normal | ||
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
URL: | https://github.com/the-real-blackh/hexpat/issues/11 | ||
Whiteboard: | |||
Package list: | Runtime testing required: | --- | |
Bug Depends on: | |||
Bug Blocks: | 251464 |
Description
Sebastian Pipping
2016-08-12 19:44:26 UTC
Seems fixed by 0.20.13 ebuild introducing use flag bundled-expat. Shall we ask for stabilization of 0.20.13 to close this bug? Closing as fixed because 0.20.13 is the only ebuild left in Gentoo as of today. (In reply to Sebastian Pipping from comment #2) > Closing as fixed because 0.20.13 is the only ebuild left in Gentoo as of > today. I guess that was to fast: I realize now that use flag bundled-libs will still get you an outdated vulnerable copy of Expat. So re-opening, sorry. I just opened an issue about updating the bundled copy, upstream. The bug has been closed via the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=99fef3753769f1195b74c27d208e2e35b351920b commit 99fef3753769f1195b74c27d208e2e35b351920b Author: Sergei Trofimovich <slyfox@gentoo.org> AuthorDate: 2021-05-24 04:58:04 +0000 Commit: Sergei Trofimovich <slyfox@gentoo.org> CommitDate: 2021-05-24 04:58:14 +0000 dev-haskell/hexpat: drop USE=bundled-expat Reported-by: Sebastian Pipping Closes: https://bugs.gentoo.org/591136 Package-Manager: Portage-3.0.18, Repoman-3.0.3 Signed-off-by: Sergei Trofimovich <slyfox@gentoo.org> dev-haskell/hexpat/hexpat-0.20.13.ebuild | 19 ++++++----- dev-haskell/hexpat/metadata.xml | 55 +------------------------------- 2 files changed, 10 insertions(+), 64 deletions(-) |