From debbugs-submit-bounces@debbugs.gnu.org Fri Jun 28 15:56:52 2019 Received: (at submit) by debbugs.gnu.org; 28 Jun 2019 19:56:53 +0000 Received: from localhost ([127.0.0.1]:43069 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1hgwzM-0008Ly-LC for submit@debbugs.gnu.org; Fri, 28 Jun 2019 15:56:52 -0400 Received: from lists.gnu.org ([209.51.188.17]:54466) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1hgwzK-0008Lq-Qq for submit@debbugs.gnu.org; Fri, 28 Jun 2019 15:56:51 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]:36970) by lists.gnu.org with esmtp (Exim 4.86_2) (envelope-from ) id 1hgwzG-0000cB-RP for guix-patches@gnu.org; Fri, 28 Jun 2019 15:56:50 -0400 X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on eggs.gnu.org X-Spam-Level: X-Spam-Status: No, score=0.0 required=5.0 tests=BAYES_20,URIBL_BLOCKED autolearn=disabled version=3.3.2 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1hgwzF-0000Kj-1G for guix-patches@gnu.org; Fri, 28 Jun 2019 15:56:46 -0400 Received: from minsky.hcoop.net ([104.248.1.95]:34784) by eggs.gnu.org with esmtps (TLS1.0:RSA_AES_256_CBC_SHA1:32) (Exim 4.71) (envelope-from ) id 1hgwzE-0000Jg-ST for guix-patches@gnu.org; Fri, 28 Jun 2019 15:56:44 -0400 Received: from marsh.hcoop.net ([45.55.52.66]) by minsky.hcoop.net with esmtpsa (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.89) (envelope-from ) id 1hgwzC-0003W5-W3 for guix-patches@gnu.org; Fri, 28 Jun 2019 15:56:42 -0400 Date: Fri, 28 Jun 2019 15:56:42 -0400 (EDT) From: Jack Hill X-X-Sender: jackhill@marsh.hcoop.net To: guix-patches@gnu.org Subject: expat-2.2.7 for CVE-2018-20843 Message-ID: User-Agent: Alpine 2.20 (DEB 67 2015-01-07) MIME-Version: 1.0 Content-Type: text/plain; format=flowed; charset=US-ASCII X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.2.x-3.x [generic] X-Received-From: 104.248.1.95 X-Spam-Score: -1.4 (-) X-Debbugs-Envelope-To: submit X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -2.4 (--) Hi Guix, Sebastian Pipping recently wrote to guix-devel@ about expat-2.2.7 which fixes CVE-2018-20843 [0]. I've prepared the forthcoming patch to add a replacement for expat with expat-2.2.7. I also changed the origin to use the GitHub hosted tarball as upstream is moving in that direction. [0] https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-20843 Best, Jack