From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mp0 ([2001:41d0:2:bcc0::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by ms0.migadu.com with LMTPS id QPekMhzjqmBFgwEAgWs5BA (envelope-from ) for ; Mon, 24 May 2021 01:19:56 +0200 Received: from aspmx1.migadu.com ([2001:41d0:2:bcc0::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by mp0 with LMTPS id WFBvLhzjqmAAGgAA1q6Kng (envelope-from ) for ; Sun, 23 May 2021 23:19:56 +0000 Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by aspmx1.migadu.com (Postfix) with ESMTPS id 079AB12F43 for ; Mon, 24 May 2021 01:19:56 +0200 (CEST) Received: from localhost ([::1]:57484 helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1lkxNz-0002Gq-48 for larch@yhetil.org; Sun, 23 May 2021 19:19:55 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]:45068) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1lkx6k-0005X8-Dk for guix-devel@gnu.org; Sun, 23 May 2021 19:02:06 -0400 Received: from smtprelay07.ispgateway.de ([134.119.228.97]:32113) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1lkx6i-0000wT-NR for guix-devel@gnu.org; Sun, 23 May 2021 19:02:06 -0400 Received: from [78.54.135.100] (helo=[192.168.178.25]) by smtprelay07.ispgateway.de with esmtpsa (TLS1.2) tls TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (Exim 4.94.2) (envelope-from ) id 1lkx58-0002z0-Qo; Mon, 24 May 2021 01:00:26 +0200 From: Sebastian Pipping Subject: Expat 2.4.0 (and 2.4.1) with security fixes released To: sebastian@pipping.org Message-ID: <76c46851-a65a-628a-4ae3-9b760b1c3ad0@pipping.org> Date: Mon, 24 May 2021 01:01:35 +0200 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Thunderbird/78.10.0 MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Language: en-US Content-Transfer-Encoding: 7bit X-Df-Sender: aGFydHdvcmtAYmluZXJhLmRl Received-SPF: none client-ip=134.119.228.97; envelope-from=sebastian@pipping.org; helo=smtprelay07.ispgateway.de X-Spam_score_int: -18 X-Spam_score: -1.9 X-Spam_bar: - X-Spam_report: (-1.9 / 5.0 requ) BAYES_00=-1.9, RCVD_IN_MSPIKE_H2=-0.001, SPF_HELO_PASS=-0.001, SPF_NONE=0.001 autolearn=ham autolearn_force=no X-Spam_action: no action X-Mailman-Approved-At: Sun, 23 May 2021 19:19:30 -0400 X-BeenThere: guix-devel@gnu.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: "Development of GNU Guix and the GNU System distribution." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: guix-devel-bounces+larch=yhetil.org@gnu.org Sender: "Guix-devel" X-Migadu-Flow: FLOW_IN ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=yhetil.org; s=key1; t=1621811996; h=from:from:sender:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:mime-version:mime-version: content-type:content-type: content-transfer-encoding:content-transfer-encoding:list-id:list-help: list-unsubscribe:list-subscribe:list-post; bh=3qltCZUYstgAw3XCuh/iSheTmdBB1BJs3Xwyv+BzWyw=; b=p1pOI8SFIcEwxJjcCj/uJTCcDV4dGgSE/XtxopqhuLPSKY925+p+b3rWwdFiAnHkyD226I 5iMe8cilx23ylIdJcGxQk/ye6cW8HniCP7cp4eF0Fe/Q+XX2A3xU5jktSLUQC3DW0FSs8Z 0fK38Xs9oFR8zQTdZZwdOZpWKvr7VwWkIxXINeWLyn67d2VNcVR3RzCopraAZ2lczEu+MW VJoxkcG+/nohjPLcu/8j6wi2VH/YngLoI4Zj4iVLnZowYcCSW6D84xYluNXvcLPDoI1flh +56SPAMRrI7R1Vig+4mu1JPo3Ccsz4z0s6/gdRxH5D0jIuqO53HOo4XozYYkbA== ARC-Seal: i=1; s=key1; d=yhetil.org; t=1621811996; a=rsa-sha256; cv=none; b=HysiFQi6IuE5nwdV8iJsAMS1q4I5ou4NM3UviYSE/xpHGh8nx1/aVmQVnI/lB4K9L66jKu TdZbfvV+4ktJGU4b4cpHFkRJ6Sv7Tv27sqox0koUcqgCphmfoVX5GPYlzvMcbaxWuUa+iO HhpmTmT5JqnJkoodo2Vvpj1h4JN5STolqYVB6jGTdL+4s2876pf2rYOa6ohnqVKXQX2rku Q3otFWqfmLIF4Sf3PNtfxHQZA+2cABN4epSIEG4zKM6uKnCsPGwm/oxMbmtGtyrzS8d5pb nw3G6Qm/xqi0OclWJNYFJWuH0gUUxvF7BiQJe8PW7cldcE7ZkkyKRycqSDTnCA== ARC-Authentication-Results: i=1; aspmx1.migadu.com; dkim=none; dmarc=none; spf=pass (aspmx1.migadu.com: domain of guix-devel-bounces@gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=guix-devel-bounces@gnu.org X-Migadu-Spam-Score: -2.44 Authentication-Results: aspmx1.migadu.com; dkim=none; dmarc=none; spf=pass (aspmx1.migadu.com: domain of guix-devel-bounces@gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=guix-devel-bounces@gnu.org X-Migadu-Queue-Id: 079AB12F43 X-Spam-Score: -2.44 X-Migadu-Scanner: scn1.migadu.com X-TUID: Lu4l0uVrhZlB Hello everyone! Expat 2.4.0 (and 2.4.1) most importantly brings protection against Billion Laughs Attacks (CVE-2013-0340). There is a blog post [1] and the change log with more details. If you have patches for Expat that are still required with version 2.4.1, please send them my way. Thank you! Best Sebastian [1] https://blog.hartwork.org/posts/cve-2013-0340-billion-laughs-fixed-in-expat-2-4-0/ [2] https://github.com/libexpat/libexpat/blob/R_2_4_1/expat/Changes