From debbugs-submit-bounces@debbugs.gnu.org Wed Jun 02 23:16:37 2021 Received: (at 48612-done) by debbugs.gnu.org; 3 Jun 2021 03:16:37 +0000 Received: from localhost ([127.0.0.1]:41720 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1lodqX-000130-7X for submit@debbugs.gnu.org; Wed, 02 Jun 2021 23:16:37 -0400 Received: from out3-smtp.messagingengine.com ([66.111.4.27]:39691) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1lodqW-00012p-0K for 48612-done@debbugs.gnu.org; Wed, 02 Jun 2021 23:16:36 -0400 Received: from compute2.internal (compute2.nyi.internal [10.202.2.42]) by mailout.nyi.internal (Postfix) with ESMTP id E8B0E5C010E; Wed, 2 Jun 2021 23:16:30 -0400 (EDT) Received: from mailfrontend2 ([10.202.2.163]) by compute2.internal (MEProxy); Wed, 02 Jun 2021 23:16:30 -0400 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=famulari.name; h=date:from:to:cc:subject:message-id:references:mime-version :content-type:in-reply-to; s=mesmtp; bh=1yDLU8o1ZoUtqo8XIZppsfXX KCLwiMqn+syvAzfaWfc=; b=QFTcnlB35BHxYJblVkRuGxwKWoxvxKno2NIuDfG5 J2w3A2mBnSf3FLT46mm+/XGYsDIS0IFijYQ2pA9Oo8WsL75UdLrjxGbglSte1PIK 0HZhJnXLwEU1QYNn3P+gDT4mPsFQHafZXZz992YatyUTwvfe5kEMsl1FAi4A8Os/ B1Q= DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= messagingengine.com; h=cc:content-type:date:from:in-reply-to :message-id:mime-version:references:subject:to:x-me-proxy :x-me-proxy:x-me-sender:x-me-sender:x-sasl-enc; s=fm2; bh=1yDLU8 o1ZoUtqo8XIZppsfXXKCLwiMqn+syvAzfaWfc=; b=dn0X28FPZ/Wngf0Mn8rqHY fC9HWjFAb/U3exMuqPx4vwEXOx29R0UTSYXoRuOQYCU7Nr4g6/UpEATk3n6Gg8en AC9jKwFFDjlXSJRfzZ+/+aKk5ZZIVw6czkBv7fAsLYJwORrRTEFxspdQHTeOW+wQ y9aaftCRt661fBvIcMdgqapP+sIttyLKq5kkR1EH/AHmgPHgkBFC4BYNixKQKNIr sX/QKGtppuKARvd90fdkv9NOW0gibWMA8r6aHLg2ko3a60h+DdKk6Vvuk90xhgmr 0oPVV3/gvuQTBeDZpfv/ZyT5U5F07tI2YbeUH2WAo26kKC+zr5DadYSeRAGw6R2A == X-ME-Sender: X-ME-Received: X-ME-Proxy-Cause: gggruggvucftvghtrhhoucdtuddrgeduledrvdelkedgieejucetufdoteggodetrfdotf fvucfrrhhofhhilhgvmecuhfgrshhtofgrihhlpdfqfgfvpdfurfetoffkrfgpnffqhgen uceurghilhhouhhtmecufedttdenucesvcftvggtihhpihgvnhhtshculddquddttddmne cujfgurhepfffhvffukfhfgggtuggjsehgtderredttddvnecuhfhrohhmpefnvghoucfh rghmuhhlrghrihcuoehlvghosehfrghmuhhlrghrihdrnhgrmhgvqeenucggtffrrghtth gvrhhnpedukeevgeetkeeltefgiedtjefgjeekffduteehvdfhueekudelieekjeefheff teenucevlhhushhtvghrufhiiigvpedtnecurfgrrhgrmhepmhgrihhlfhhrohhmpehlvg hosehfrghmuhhlrghrihdrnhgrmhgv X-ME-Proxy: Received: by mail.messagingengine.com (Postfix) with ESMTPA; Wed, 2 Jun 2021 23:16:30 -0400 (EDT) Date: Wed, 2 Jun 2021 23:16:29 -0400 From: Leo Famulari To: Marius Bakke Subject: Re: bug#48612: Expat "billion laughs attack" vulnerability (CVE-2013-0340) Message-ID: References: <87bl91qy68.fsf@gnu.org> MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha256; protocol="application/pgp-signature"; boundary="c5XPOlW05k7pye8d" Content-Disposition: inline In-Reply-To: X-Spam-Score: -0.7 (/) X-Debbugs-Envelope-To: 48612-done Cc: 48612-done@debbugs.gnu.org X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -1.7 (-) --c5XPOlW05k7pye8d Content-Type: text/plain; charset=us-ascii Content-Disposition: inline On Mon, May 24, 2021 at 01:06:47PM -0400, Leo Famulari wrote: > I think it's okay to graft it. The distro is big enough that there will > always be some grafted packages. However, I'd like to try ungrafting at > regular periods; based on the current ungrafting build cycle, monthly > may be reasonable. I updated your patch to use expat 2.4.1 and pushed as 6d71f6a73cd27d61d3302b9658893428af6314d2 --c5XPOlW05k7pye8d Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iQIzBAABCAAdFiEEsFFZSPHn08G5gDigJkb6MLrKfwgFAmC4SYwACgkQJkb6MLrK fwhQ+A//QDsBUWnEmBmfrsvWhg8sRH1c606Uz+AHfloFaRk82aSCauCrv4uFI1z8 81aOw2KAJhyv/wmC9VXsannnD5ZaFtjJtzEaWJ5x79sJIIe8/bLmqI4t0QR5re66 tCgK7FecF9HJ6+GeNJCHU4o/3PeN1BZ8ECqP9nZkXHe7kUQFMN1Eln3zK79BygwA EJaVF1Yay6qMmW8U5jIQtnTA88x6iGZU4UHYOjbpUmWL1TpeRVrz36EPQc4rp0ub vE+2PrNLqyYd0VdrLfKTGREle5iuFc8YOTh4QiRT1aqnQkxePqURrQMGbBmzDHNM qKgeGvTb/OSiqciJ3lZVfVRIy4FjCgJRKRgIp2o6c65Y9IjWmmOpQmgBsrhPipRj hWWn3Dz/82qIT+2sE8T3HVqsUrofOCktCG4DP/NWBG3N+c+xy2/KcpuU5QTPqq6j ponMZ8PsP13AqYLIYk6mdqqY55u7UKafUNiHB69dDsr9ZFimKQsQ3DkUnxEE0qHi qL1GHTFzTJNpH8iSjLesy8KTXSADzUXRy7bT9sySkwPSd5p4lW5msGcKtsBTmarG vBrTFJ/tdLr6JSR0M0tCB/zk2hLiSvStf/Ei9oo670es90SRCPAQrdr/+C+jNq6G HGJ4eDhBtr28qpnzDqohe90LakzM7g2p8XsrTDkEgba1DI0yFeg= =MbDa -----END PGP SIGNATURE----- --c5XPOlW05k7pye8d--