As suggested, I am not re-using bug #458742 but creating a new ticket… I have pushed dev-libs/expat-2.4.1 earlier today. Release 2.4.0 fixed long unfixed CVE-2013-0340 at the source.
Thanks sping. Let us know when it's ready to stable. (aside: register your nick on Libera now we're migrating there? Maybe even hang around afterwards! ;))
Unable to check for sanity: > no match for package: dev-libs/expat-2.4.0
All sanity-check issues have been resolved
(In reply to Sam James from comment #1) > Thanks sping. Let us know when it's ready to stable. I'm happy with any date. What would be your preferences? > (aside: register your nick on Libera now we're migrating there? Maybe even > hang around afterwards! ;)) Thanks for the nudge about it, I just registered.
We usually go faster for security bugs but try to balance the risk of the changes since the last version against the severity of any bugs. Whenever you’re happy (could be now, or a week), we’ll add CC-ARCHES.
(In reply to Sam James from comment #5) > Whenever you’re happy (could be now, or a week), we’ll add CC-ARCHES. Alright, let's go! :)
arm64 done
arm done
x86 done
amd64 done
ppc done
ppc64 done
sparc stable
hppa stable
Please cleanup, thanks!
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=90eadb7bb21b4941c9d6297c0725edef87e49837 commit 90eadb7bb21b4941c9d6297c0725edef87e49837 Author: Sebastian Pipping <sping@gentoo.org> AuthorDate: 2021-05-28 21:21:38 +0000 Commit: Sebastian Pipping <sping@gentoo.org> CommitDate: 2021-05-28 21:22:54 +0000 dev-libs/expat: Drop vulnerable Bug: https://bugs.gentoo.org/791703 Signed-off-by: Sebastian Pipping <sping@gentoo.org> Package-Manager: Portage-3.0.19, Repoman-3.0.3 dev-libs/expat/Manifest | 2 - dev-libs/expat/expat-2.2.10.ebuild | 99 -------------------------------------- dev-libs/expat/expat-2.3.0.ebuild | 99 -------------------------------------- 3 files changed, 200 deletions(-)
Thanks!
Unable to check for sanity: > no match for package: dev-libs/expat-2.4.1
GLSA request filed
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/data/glsa.git/commit/?id=03f0a34b2dd087d0388307c6a72febd44202bb20 commit 03f0a34b2dd087d0388307c6a72febd44202bb20 Author: GLSAMaker <glsamaker@gentoo.org> AuthorDate: 2022-09-29 14:24:39 +0000 Commit: John Helmert III <ajak@gentoo.org> CommitDate: 2022-09-29 14:48:02 +0000 [ GLSA 202209-24 ] Expat: Multiple Vulnerabilities Bug: https://bugs.gentoo.org/791703 Bug: https://bugs.gentoo.org/830422 Bug: https://bugs.gentoo.org/831918 Bug: https://bugs.gentoo.org/833431 Bug: https://bugs.gentoo.org/870097 Signed-off-by: GLSAMaker <glsamaker@gentoo.org> Signed-off-by: John Helmert III <ajak@gentoo.org> glsa-202209-24.xml | 61 ++++++++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 61 insertions(+)
GLSA released, all done!