* [SECURITY] cygwin32-expat, mingw64-$arch-expat, etc.
@ 2016-03-16 19:28 Warren Young
2016-03-16 20:32 ` Yaakov Selkowitz
0 siblings, 1 reply; 4+ messages in thread
From: Warren Young @ 2016-03-16 19:28 UTC (permalink / raw)
To: cygwin-apps
expat 2.1.1 fixes MEDIUM-rated CVE-2015-1283. I’ve uploaded the regular expat 2.1.1 packages, but the cross-development packages maintained by Yaakov are all at 2.1.0. Some appear to have 2.1.1 alternate versions available
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: [SECURITY] cygwin32-expat, mingw64-$arch-expat, etc.
2016-03-16 19:28 [SECURITY] cygwin32-expat, mingw64-$arch-expat, etc Warren Young
@ 2016-03-16 20:32 ` Yaakov Selkowitz
2016-03-16 20:50 ` Warren Young
0 siblings, 1 reply; 4+ messages in thread
From: Yaakov Selkowitz @ 2016-03-16 20:32 UTC (permalink / raw)
To: cygwin-apps
On 2016-03-16 14:28, Warren Young wrote:
> expat 2.1.1 fixes MEDIUM-rated CVE-2015-1283. Iâve uploaded the regular
> expat 2.1.1 packages, but the cross-development packages maintained by
> Yaakov are all at 2.1.0. Some appear to have 2.1.1 alternate versions available
mingw64-*-expat were updated to 2.1.1 a few days ago already. As for
the cygwin{32,64}-* packages, those which are not required for building
cygwin itself (which expat is not) are going away very soon.
--
Yaakov
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: [SECURITY] cygwin32-expat, mingw64-$arch-expat, etc.
2016-03-16 20:32 ` Yaakov Selkowitz
@ 2016-03-16 20:50 ` Warren Young
2016-03-17 3:01 ` Yaakov Selkowitz
0 siblings, 1 reply; 4+ messages in thread
From: Warren Young @ 2016-03-16 20:50 UTC (permalink / raw)
To: cygwin-apps
On Mar 16, 2016, at 2:32 PM, Yaakov Selkowitz <yselkowitz@cygwin.com> wrote:
>
> On 2016-03-16 14:28, Warren Young wrote:
>> expat 2.1.1 fixes MEDIUM-rated CVE-2015-1283. I’ve uploaded the regular
>> expat 2.1.1 packages, but the cross-development packages maintained by
>> Yaakov are all at 2.1.0. Some appear to have 2.1.1 alternate versions available
>
> mingw64-*-expat were updated to 2.1.1 a few days ago already.
Might I ask how you even learned that a newer version was available? The expat project doesn’t have mailing lists any more. I was contacted by one of the upstream maintainers, which seems a bit back-channel to me.
I assume that someone who maintains so many packages has a better way to keep on top of which packages need to be updated.
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: [SECURITY] cygwin32-expat, mingw64-$arch-expat, etc.
2016-03-16 20:50 ` Warren Young
@ 2016-03-17 3:01 ` Yaakov Selkowitz
0 siblings, 0 replies; 4+ messages in thread
From: Yaakov Selkowitz @ 2016-03-17 3:01 UTC (permalink / raw)
To: cygwin-apps
On 2016-03-16 15:50, Warren Young wrote:
> On Mar 16, 2016, at 2:32 PM, Yaakov Selkowitz wrote:
>> On 2016-03-16 14:28, Warren Young wrote:
>>> expat 2.1.1 fixes MEDIUM-rated CVE-2015-1283. Iâve uploaded the regular
>>> expat 2.1.1 packages, but the cross-development packages maintained by
>>> Yaakov are all at 2.1.0. Some appear to have 2.1.1 alternate versions available
>>
>> mingw64-*-expat were updated to 2.1.1 a few days ago already.
>
> Might I ask how you even learned that a newer version was available? The expat
> project doesnât have mailing lists any more. I was contacted by one of the
> upstream maintainers, which seems a bit back-channel to me.
Indeed.
> I assume that someone who maintains so many packages has a better way to keep
> on top of which packages need to be updated.
Fedora maintains an automated release detection and notification service
named Anitya, hosted at https://release-monitoring.org/. If you have a
FAS account (which is available to all, not just contributors), you can
custom-tailor a message subscription for each of your packages, or (as I
do) simply subscribe to all newly detected versions.
Alternatively, the fedmsg bus has a public JSON API; e.g. to see the
latest release of expat over the last week:
$ http get https://apps.fedoraproject.org/datagrepper/raw \
delta==604800 \
topic==org.release-monitoring.prod.anitya.project.version.update \
package==expat rows_per_page==1 \
| jq '.raw_messages[0].msg.message.project.version'
"2.1.1"
See https://apps.fedoraproject.org/datagrepper/ for details. (FWIW I
just added httpie and jq to the distro.)
In theory, it is possible to add the Cygwin distribution to that Anitya
instance and setup a service (possibly on sourceware?) which processes
the fedmsg bus to send email notifications, but I simply don't have time
to set that up right now.
--
Yaakov
^ permalink raw reply [flat|nested] 4+ messages in thread
end of thread, other threads:[~2016-03-17 3:01 UTC | newest]
Thread overview: 4+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2016-03-16 19:28 [SECURITY] cygwin32-expat, mingw64-$arch-expat, etc Warren Young
2016-03-16 20:32 ` Yaakov Selkowitz
2016-03-16 20:50 ` Warren Young
2016-03-17 3:01 ` Yaakov Selkowitz
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).