Summary: | <dev-libs/expat-2.6.3: multiple vulnerabilities | ||
---|---|---|---|
Product: | Gentoo Security | Reporter: | Sebastian Pipping <sping> |
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
Status: | IN_PROGRESS --- | ||
Severity: | normal | CC: | fkobi, sping |
Priority: | Normal | ||
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
See Also: |
https://github.com/libexpat/libexpat/pull/890 https://github.com/libexpat/libexpat/pull/891 https://github.com/libexpat/libexpat/pull/892 https://github.com/libexpat/libexpat/pull/896 |
||
Whiteboard: | A3 [stable] | ||
Package list: | Runtime testing required: | --- | |
Bug Depends on: | 924601, 939074, 930032 | ||
Bug Blocks: |
Description
Sebastian Pipping
2024-09-01 20:28:07 UTC
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=c4c60d4f7b4cf41d158e8df07ccf9b4641ba8b16 commit c4c60d4f7b4cf41d158e8df07ccf9b4641ba8b16 Author: Sebastian Pipping <sping@gentoo.org> AuthorDate: 2024-09-04 11:26:38 +0000 Commit: Sebastian Pipping <sping@gentoo.org> CommitDate: 2024-09-04 11:29:27 +0000 dev-libs/expat: 2.6.3 with security fixes Bug: https://bugs.gentoo.org/938894 Signed-off-by: Sebastian Pipping <sping@gentoo.org> dev-libs/expat/Manifest | 1 + dev-libs/expat/expat-2.6.3.ebuild | 100 ++++++++++++++++++++++++++++++++++++++ 2 files changed, 101 insertions(+) Regarding stabilization: - We won't be able to wipe dev-libs/expat-2.5.0 from the tree before bug #924601 and bug #930032 are fixed - We can still stabilize 2.6.3 though, I see no conflict in that - I have created bug #939074 dedicated to stabilization of 2.6.3 just now (In reply to Sebastian Pipping from comment #2) > Regarding stabilization: > - We won't be able to wipe dev-libs/expat-2.5.0 from the tree > before bug #924601 and bug #930032 are fixed > - We can still stabilize 2.6.3 though, I see no conflict in that > - I have created bug #939074 dedicated to stabilization of 2.6.3 just now Sounds good, with this approach we can get a fixed version in the hands of most people. Waiting for cleanup will also not block issuing a GLSA if needed. Whould versions 2.6.[012] be also dropped? If so then I can make a PR. (In reply to Filip Kobierski from comment #4) > Whould versions 2.6.[012] be also dropped? If so then I can make a PR. Just leave it to the maintainer. |