From mboxrd@z Thu Jan  1 00:00:00 1970
Received: from eggs.gnu.org ([2001:470:142:3::10]:37038)
 by lists.gnu.org with esmtp (Exim 4.86_2)
 (envelope-from <Debian-debbugs@debbugs.gnu.org>) id 1hgwzZ-0000j8-CQ
 for guix-patches@gnu.org; Fri, 28 Jun 2019 15:57:08 -0400
Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71)
 (envelope-from <Debian-debbugs@debbugs.gnu.org>) id 1hgwzX-0000W0-3O
 for guix-patches@gnu.org; Fri, 28 Jun 2019 15:57:05 -0400
Received: from debbugs.gnu.org ([209.51.188.43]:57758)
 by eggs.gnu.org with esmtps (TLS1.0:RSA_AES_128_CBC_SHA1:16)
 (Exim 4.71) (envelope-from <Debian-debbugs@debbugs.gnu.org>)
 id 1hgwzW-0000VT-Cd
 for guix-patches@gnu.org; Fri, 28 Jun 2019 15:57:03 -0400
Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84_2)
 (envelope-from <Debian-debbugs@debbugs.gnu.org>) id 1hgwzW-0008MP-Aa
 for guix-patches@gnu.org; Fri, 28 Jun 2019 15:57:02 -0400
Subject: [bug#36424] expat-2.2.7 for CVE-2018-20843
Resent-Message-ID: <handler.36424.B.156175181332118@debbugs.gnu.org>
Received: from eggs.gnu.org ([2001:470:142:3::10]:36970)
 by lists.gnu.org with esmtp (Exim 4.86_2)
 (envelope-from <jackhill@jackhill.us>) id 1hgwzG-0000cB-RP
 for guix-patches@gnu.org; Fri, 28 Jun 2019 15:56:50 -0400
Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71)
 (envelope-from <jackhill@jackhill.us>) id 1hgwzF-0000Kj-1G
 for guix-patches@gnu.org; Fri, 28 Jun 2019 15:56:46 -0400
Received: from minsky.hcoop.net ([104.248.1.95]:34784)
 by eggs.gnu.org with esmtps (TLS1.0:RSA_AES_256_CBC_SHA1:32)
 (Exim 4.71) (envelope-from <jackhill@jackhill.us>)
 id 1hgwzE-0000Jg-ST
 for guix-patches@gnu.org; Fri, 28 Jun 2019 15:56:44 -0400
Received: from marsh.hcoop.net ([45.55.52.66])
 by minsky.hcoop.net with esmtpsa (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.89) (envelope-from <jackhill@jackhill.us>)
 id 1hgwzC-0003W5-W3
 for guix-patches@gnu.org; Fri, 28 Jun 2019 15:56:42 -0400
Date: Fri, 28 Jun 2019 15:56:42 -0400 (EDT)
From: Jack Hill <jackhill@jackhill.us>
Message-ID: <alpine.DEB.2.20.1906281553100.17508@marsh.hcoop.net>
MIME-Version: 1.0
Content-Type: text/plain; format=flowed; charset=US-ASCII
List-Id: <guix-patches.gnu.org>
List-Unsubscribe: <https://lists.gnu.org/mailman/options/guix-patches>,
 <mailto:guix-patches-request@gnu.org?subject=unsubscribe>
List-Archive: <https://lists.gnu.org/archive/html/guix-patches>
List-Post: <mailto:guix-patches@gnu.org>
List-Help: <mailto:guix-patches-request@gnu.org?subject=help>
List-Subscribe: <https://lists.gnu.org/mailman/listinfo/guix-patches>,
 <mailto:guix-patches-request@gnu.org?subject=subscribe>
Errors-To: guix-patches-bounces+kyle=kyleam.com@gnu.org
Sender: "Guix-patches" <guix-patches-bounces+kyle=kyleam.com@gnu.org>
To: 36424@debbugs.gnu.org

Hi Guix,

Sebastian Pipping recently wrote to guix-devel@ about expat-2.2.7 which 
fixes CVE-2018-20843 [0]. I've prepared the forthcoming patch to add a 
replacement for expat with expat-2.2.7. I also changed the origin to use 
the GitHub hosted tarball as upstream is moving in that direction.

[0] https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-20843

Best,
Jack