Release Expat 2.2.8

[hartwork]

Regular releases:

• Bump .so version info, document in change log
• make distcheck source tarballs using ./distribute.sh
• Build Windows installer
• SourceForge:
  • Upload Windows installer
  • Upload source tarballs + .asc GPG signature (Feature request: GPG-signed release tarballs #193)
  • Make one new source tarball default download for all but Windows
  • Make new installer binary default download for Windows
• GitHub:
  • Create new release
  • Create signed Git tag and push it — https://github.com/libexpat/libexpat/releases/tag/R_2_2_8
  • Upload source tarball + .asc GPG signature (Feature request: GPG-signed release tarballs #193)
  • Upload Windows installer
• Let the community know:
  • News item on https://libexpat.github.io/
  • Mail Expat distro maintainers directly
  • Write to the xml-dev mailing list — http://lists.xml.org/archives/xml-dev/201909/msg00013.html
  • Blog about it at blog.hartwork.org — https://blog.hartwork.org/posts/expat-228-with-security-fixes-has-been-released/
    • Submit to Hacker News — https://news.ycombinator.com/item?id=20972658
  • Blog about it at xml.com — https://www.xml.com/news/2019-09-expat-228/
• (Bump ebuild in Gentoo — gentoo/gentoo@4705488)

Specific to 2.2.8:

• Handle security issue [CVE-2019-15903] Heap overflow in XML_GetCurrentLineNumber #317 / [CVE-2019-15903] Deny internal entities closing the doctype (for #317) #318
  • Request CVE — https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-15903
  • Add CVE to change log
  • Open security bug in Gentoo — https://bugs.gentoo.org/694362
  • Mail security teams