Date: Thu, 10 Jun 2021 16:45:55 +0100 From: Simon Kershaw <simon@kershaw.org.uk> To: freebsd-pkg@freebsd.org Subject: expat package Message-ID: <2b0f223315b7b0e6668563bdde887544@kershaw.org.uk>
next in thread | raw e-mail | index | archive | help
Hi all, Not sure if this is the right forum for this question, apologies if not. Since 27 May, pkg audit tells me that there is a vulnerability in expat expat-2.2.10 is vulnerable: texproc/expat2 -- billion laugh attack CVE: CVE-2013-0340 WWW: https://vuxml.FreeBSD.org/freebsd/5fa90ee6-bc9e-11eb-a287-e0d55e2a8bf9.html But "pkg upgrade expat" does not yet do anything. Is someone responsible for maintaining the expat package and port? expat is currently at 2.4.1, so the FreebSD version is a bit behind. This vulnerability was fixed on 23 May. See https://blog.hartwork.org/posts/cve-2013-0340-billion-laughs-fixed-in-expat-2-4-0/ which says > If you maintain Expat packaging or a bundled copy of Expat or a pinned > version of Expat > somewhere, please update to 2.4.1. Thank you! As I say, apologies if this is the wrong place for this. Thanks simon -- Simon Kershaw simon@kershaw.org.uk St Ives, Cambridgeshire
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?2b0f223315b7b0e6668563bdde887544>