#48612 - Expat "billion laughs attack" vulnerability (CVE-2013-0340)

Package	Source(s)		Maintainer(s)
guix		PTS Buildd Popcon

Message #18 received at 48612-done@debbugs.gnu.org (full text, mbox, reply):

Received: (at 48612-done) by debbugs.gnu.org; 3 Jun 2021 03:16:37 +0000
From debbugs-submit-bounces@debbugs.gnu.org Wed Jun 02 23:16:37 2021
Received: from localhost ([127.0.0.1]:41720 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces@debbugs.gnu.org>)
	id 1lodqX-000130-7X
	for submit@debbugs.gnu.org; Wed, 02 Jun 2021 23:16:37 -0400
Received: from out3-smtp.messagingengine.com ([66.111.4.27]:39691)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <leo@famulari.name>) id 1lodqW-00012p-0K
 for 48612-done@debbugs.gnu.org; Wed, 02 Jun 2021 23:16:36 -0400
Received: from compute2.internal (compute2.nyi.internal [10.202.2.42])
 by mailout.nyi.internal (Postfix) with ESMTP id E8B0E5C010E;
 Wed,  2 Jun 2021 23:16:30 -0400 (EDT)
Received: from mailfrontend2 ([10.202.2.163])
 by compute2.internal (MEProxy); Wed, 02 Jun 2021 23:16:30 -0400
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=famulari.name;
 h=date:from:to:cc:subject:message-id:references:mime-version
 :content-type:in-reply-to; s=mesmtp; bh=1yDLU8o1ZoUtqo8XIZppsfXX
 KCLwiMqn+syvAzfaWfc=; b=QFTcnlB35BHxYJblVkRuGxwKWoxvxKno2NIuDfG5
 J2w3A2mBnSf3FLT46mm+/XGYsDIS0IFijYQ2pA9Oo8WsL75UdLrjxGbglSte1PIK
 0HZhJnXLwEU1QYNn3P+gDT4mPsFQHafZXZz992YatyUTwvfe5kEMsl1FAi4A8Os/
 B1Q=
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=
 messagingengine.com; h=cc:content-type:date:from:in-reply-to
 :message-id:mime-version:references:subject:to:x-me-proxy
 :x-me-proxy:x-me-sender:x-me-sender:x-sasl-enc; s=fm2; bh=1yDLU8
 o1ZoUtqo8XIZppsfXXKCLwiMqn+syvAzfaWfc=; b=dn0X28FPZ/Wngf0Mn8rqHY
 fC9HWjFAb/U3exMuqPx4vwEXOx29R0UTSYXoRuOQYCU7Nr4g6/UpEATk3n6Gg8en
 AC9jKwFFDjlXSJRfzZ+/+aKk5ZZIVw6czkBv7fAsLYJwORrRTEFxspdQHTeOW+wQ
 y9aaftCRt661fBvIcMdgqapP+sIttyLKq5kkR1EH/AHmgPHgkBFC4BYNixKQKNIr
 sX/QKGtppuKARvd90fdkv9NOW0gibWMA8r6aHLg2ko3a60h+DdKk6Vvuk90xhgmr
 0oPVV3/gvuQTBeDZpfv/ZyT5U5F07tI2YbeUH2WAo26kKC+zr5DadYSeRAGw6R2A
 ==
X-ME-Sender: <xms:jkm4YC2gtE7sF56Pgfxw_NbBqDnoLsPWvaCuc_xojzOuSaSdEUOBUQ>
 <xme:jkm4YFG9QsJUqTp2-7c91Uvx9-gRA8P8JjR8dpDZbM6nbSKJftNUtVJzraGJKqYBG
 -mw85kG0rgNPs-HFA>
X-ME-Received: <xmr:jkm4YK65jWjJgUCErT_R67bmRiBcBsDOW_-mj_MgQcQM1s6rNIdsaoxb9Gx0o9nixBMCJZhrlSORMcFSInfYzKE6jg>
X-ME-Proxy-Cause: gggruggvucftvghtrhhoucdtuddrgeduledrvdelkedgieejucetufdoteggodetrfdotf
 fvucfrrhhofhhilhgvmecuhfgrshhtofgrihhlpdfqfgfvpdfurfetoffkrfgpnffqhgen
 uceurghilhhouhhtmecufedttdenucesvcftvggtihhpihgvnhhtshculddquddttddmne
 cujfgurhepfffhvffukfhfgggtuggjsehgtderredttddvnecuhfhrohhmpefnvghoucfh
 rghmuhhlrghrihcuoehlvghosehfrghmuhhlrghrihdrnhgrmhgvqeenucggtffrrghtth
 gvrhhnpedukeevgeetkeeltefgiedtjefgjeekffduteehvdfhueekudelieekjeefheff
 teenucevlhhushhtvghrufhiiigvpedtnecurfgrrhgrmhepmhgrihhlfhhrohhmpehlvg
 hosehfrghmuhhlrghrihdrnhgrmhgv
X-ME-Proxy: <xmx:jkm4YD3PdS4gx2vgteCtnKABI_-qTP6-ZwiKOuTCxPChwAODuJM3Bg>
 <xmx:jkm4YFHP2c7GOsAsgfA0-YiLNWlcT9XMioz7nit8ATtsajXM8gRcew>
 <xmx:jkm4YM-nkqBBZjggvQnn0d-EW8OvdLnVTNA4sw8gb4hKwco55H1Ieg>
 <xmx:jkm4YIMeC5EA3-oJFU-mlOR6H-L9S5LW0r8HWxMPKPUerwBc2xLFfg>
Received: by mail.messagingengine.com (Postfix) with ESMTPA; Wed,
 2 Jun 2021 23:16:30 -0400 (EDT)
Date: Wed, 2 Jun 2021 23:16:29 -0400
From: Leo Famulari <leo@famulari.name>
To: Marius Bakke <marius@gnu.org>
Subject: Re: bug#48612: Expat "billion laughs attack" vulnerability
 (CVE-2013-0340)
Message-ID: <YLhJjeorZ1b9o4NK@jasmine.lan>
References: <87bl91qy68.fsf@gnu.org>
 <YKvdJ75zNMh+8aHw@jasmine.lan>
MIME-Version: 1.0
Content-Type: multipart/signed; micalg=pgp-sha256;
 protocol="application/pgp-signature"; boundary="c5XPOlW05k7pye8d"
Content-Disposition: inline
In-Reply-To: <YKvdJ75zNMh+8aHw@jasmine.lan>
X-Spam-Score: -0.7 (/)
X-Debbugs-Envelope-To: 48612-done
Cc: 48612-done@debbugs.gnu.org
X-BeenThere: debbugs-submit@debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request@debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit@debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request@debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request@debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces@debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces@debbugs.gnu.org>
X-Spam-Score: -1.7 (-)

[Message part 1 (text/plain, inline)]

On Mon, May 24, 2021 at 01:06:47PM -0400, Leo Famulari wrote:
> I think it's okay to graft it. The distro is big enough that there will
> always be some grafted packages. However, I'd like to try ungrafting at
> regular periods; based on the current ungrafting build cycle, monthly
> may be reasonable.

I updated your patch to use expat 2.4.1 and pushed as
6d71f6a73cd27d61d3302b9658893428af6314d2

[signature.asc (application/pgp-signature, inline)]

Display info messages

Send a report that this bug log contains spam.

debbugs.gnu.org maintainers <help-debbugs@gnu.org>. Last modified: Sat Dec 21 18:34:57 2024; Machine Name: wallace-server

GNU bug tracking system

Debbugs is free software and licensed under the terms of the GNU Public License version 2. The current version can be obtained from https://bugs.debian.org/debbugs-source/.

#48612 Expat "billion laughs attack" vulnerability (CVE-2013-0340)