expat package

Go to: [ bottom of page ] [ top of archives ] [ this month ]

From: Simon Kershaw <simon_at_kershaw.org.uk>
Date: Thu, 10 Jun 2021 15:45:55 UTC

Hi all,

Not sure if this is the right forum for this question, apologies if not.

Since 27 May, pkg audit tells me that there is a vulnerability in expat

expat-2.2.10 is vulnerable:
   texproc/expat2 -- billion laugh attack
   CVE: CVE-2013-0340
   WWW: 
https://vuxml.FreeBSD.org/freebsd/5fa90ee6-bc9e-11eb-a287-e0d55e2a8bf9.html

But "pkg upgrade expat" does not yet do anything.

Is someone responsible for maintaining the expat package and port? expat 
is currently at 2.4.1, so the FreebSD version is a bit behind.

This vulnerability was fixed on 23 May. See 
https://blog.hartwork.org/posts/cve-2013-0340-billion-laughs-fixed-in-expat-2-4-0/
which says

> If you maintain Expat packaging or a bundled copy of Expat or a pinned 
> version of Expat
> somewhere, please update to 2.4.1. Thank you!

As I say, apologies if this is the wrong place for this.

Thanks
simon

-- 
Simon Kershaw
simon@kershaw.org.uk
St Ives, Cambridgeshire