[SECURITY] cygwin32-expat, mingw64-$arch-expat, etc.

[SECURITY] cygwin32-expat, mingw64-$arch-expat, etc.

[Warren Young]

expat 2.1.1 fixes MEDIUM-rated CVE-2015-1283.  I’ve uploaded the regular expat 2.1.1 packages, but the cross-development packages maintained by Yaakov are all at 2.1.0.  Some appear to have 2.1.1 alternate versions available

Re: [SECURITY] cygwin32-expat, mingw64-$arch-expat, etc.

[Yaakov Selkowitz]

On 2016-03-16 14:28, Warren Young wrote:
> expat 2.1.1 fixes MEDIUM-rated CVE-2015-1283.  I’ve uploaded the regular
> expat 2.1.1 packages, but the cross-development packages maintained by
> Yaakov are all at 2.1.0.  Some appear to have 2.1.1 alternate versions available

mingw64-*-expat were updated to 2.1.1 a few days ago already.  As for 
the cygwin{32,64}-* packages, those which are not required for building 
cygwin itself (which expat is not) are going away very soon.

-- 
Yaakov

Re: [SECURITY] cygwin32-expat, mingw64-$arch-expat, etc.

[Warren Young]

On Mar 16, 2016, at 2:32 PM, Yaakov Selkowitz <yselkowitz@cygwin.com> wrote:
> 
> On 2016-03-16 14:28, Warren Young wrote:
>> expat 2.1.1 fixes MEDIUM-rated CVE-2015-1283.  I’ve uploaded the regular
>> expat 2.1.1 packages, but the cross-development packages maintained by
>> Yaakov are all at 2.1.0.  Some appear to have 2.1.1 alternate versions available
> 
> mingw64-*-expat were updated to 2.1.1 a few days ago already.

Might I ask how you even learned that a newer version was available?  The expat project doesn’t have mailing lists any more.  I was contacted by one of the upstream maintainers, which seems a bit back-channel to me.

I assume that someone who maintains so many packages has a better way to keep on top of which packages need to be updated.

Re: [SECURITY] cygwin32-expat, mingw64-$arch-expat, etc.

[Yaakov Selkowitz]

On 2016-03-16 15:50, Warren Young wrote:
> On Mar 16, 2016, at 2:32 PM, Yaakov Selkowitz wrote:
>> On 2016-03-16 14:28, Warren Young wrote:
>>> expat 2.1.1 fixes MEDIUM-rated CVE-2015-1283.  I’ve uploaded the regular
>>> expat 2.1.1 packages, but the cross-development packages maintained by
>>> Yaakov are all at 2.1.0.  Some appear to have 2.1.1 alternate versions available
>>
>> mingw64-*-expat were updated to 2.1.1 a few days ago already.
>
> Might I ask how you even learned that a newer version was available?  The expat
> project doesn’t have mailing lists any more.  I was contacted by one of the
> upstream maintainers, which seems a bit back-channel to me.

Indeed.

> I assume that someone who maintains so many packages has a better way to keep
> on top of which packages need to be updated.

Fedora maintains an automated release detection and notification service 
named Anitya, hosted at https://release-monitoring.org/.  If you have a 
FAS account (which is available to all, not just contributors), you can 
custom-tailor a message subscription for each of your packages, or (as I 
do) simply subscribe to all newly detected versions.

Alternatively, the fedmsg bus has a public JSON API; e.g. to see the 
latest release of expat over the last week:

$ http get https://apps.fedoraproject.org/datagrepper/raw \
     delta==604800 \
     topic==org.release-monitoring.prod.anitya.project.version.update \
     package==expat rows_per_page==1 \
     | jq '.raw_messages[0].msg.message.project.version'
"2.1.1"

See https://apps.fedoraproject.org/datagrepper/ for details.  (FWIW I 
just added httpie and jq to the distro.)

In theory, it is possible to add the Cygwin distribution to that Anitya 
instance and setup a service (possibly on sourceware?) which processes 
the fedmsg bus to send email notifications, but I simply don't have time 
to set that up right now.

-- 
Yaakov