expat package

From: Simon Kershaw <simon_at_kershaw.org.uk>
Date: Thu, 10 Jun 2021 15:45:55 UTC
Hi all,

Not sure if this is the right forum for this question, apologies if not.

Since 27 May, pkg audit tells me that there is a vulnerability in expat

expat-2.2.10 is vulnerable:
   texproc/expat2 -- billion laugh attack
   CVE: CVE-2013-0340

But "pkg upgrade expat" does not yet do anything.

Is someone responsible for maintaining the expat package and port? expat 
is currently at 2.4.1, so the FreebSD version is a bit behind.

This vulnerability was fixed on 23 May. See 
which says

> If you maintain Expat packaging or a bundled copy of Expat or a pinned 
> version of Expat
> somewhere, please update to 2.4.1. Thank you!

As I say, apologies if this is the wrong place for this.


Simon Kershaw
St Ives, Cambridgeshire