Contains vulnerable copy of Expat - please update to 2.2.5

[hartwork]

Hi!

This repository contains an outdated vulnerable copy of Expat 2.1.0. Please update your copy to version 2.2.4 with the latest security fixes. A change log with details is available at https://github.com/libexpat/libexpat/blob/master/expat/Changes. If you happen to run into compile errors, please check post-2.2.2 commits in Git as well. Thank you!

PS: Are you going to update NuGet as well? Else, who should I contact?

Best

 
Sebastian

[hartwork]

Any news or issues with updating?

[Raggles]

Well I don't have any time until mid August, so if nobody else does first it I will do it then. The coapp bits need some adjusting to work with the updated source.

[hartwork]

FYI Expat 2.2.4 has just been released. It would be cool to have it updated.

PS: The list of authors could used an update as well (compare with upstream author list).

[Raggles]

Ok I think I'm done, I can't upload the NuGet packages as I don't have permission - but they are available at https://www.myget.org/F/raggles/api/v2 if somebody wants to test them.

[hartwork]

Commit b965711 seems to be post-2.2.4 but even better: it includes Windows fixes.

I can't upload the NuGet packages as I don't have permission

How do we continue?

[Raggles]

@virmitio or @fearthecowboy control the Nuget side of things I think, but as far as I know the coapp project is dead so not sure if you will get much traction there. You could ask them if they can add you as a package owner or to transfer ownership.

[hartwork]

I see. I cannot take it over myself, I haven't touched real Windows in years.

[virmitio]

@Raggles @hartwork

I'm afraid that @fearthecowboy is the only one who may be able to hand off package ownership. I only had an api key for uploading as the group, and that was on a machine that died without recovery a year and change ago.

If there's someone who has the time and genuine interest in updating and maintaining the various packages, I'll happily prod @fearthecowboy to "gift" such ownership.

The best alternative I can offer in the meantime would be to push the packages up to the feed under a revised name with similar tags so others can find the more current release.

[madewokherd]

I'd be willing to put some time into this (and have off and on over the past years, for the packages I have access to), but I don't want it to be just me.

[hartwork]

Any news?

[hartwork]

Any news? There is Expat 2.2.6 now.