This is the mail archive of the
mailing list for the Cygwin project.
Re: [SECURITY] cygwin32-expat, mingw64-$arch-expat, etc.
- From: Yaakov Selkowitz <yselkowitz at cygwin dot com>
- To: cygwin-apps at cygwin dot com
- Date: Wed, 16 Mar 2016 22:01:02 -0500
- Subject: Re: [SECURITY] cygwin32-expat, mingw64-$arch-expat, etc.
- Authentication-results: sourceware.org; auth=none
- References: <FE2DF2E9-ECC4-4914-84F5-976E32425FE8 at etr-usa dot com> <56E9C2E9 dot 3010003 at cygwin dot com> <AA2040E7-E598-4448-BF38-6B75D5F22762 at etr-usa dot com>
On 2016-03-16 15:50, Warren Young wrote:
On Mar 16, 2016, at 2:32 PM, Yaakov Selkowitz wrote:
On 2016-03-16 14:28, Warren Young wrote:
expat 2.1.1 fixes MEDIUM-rated CVE-2015-1283. Iâve uploaded the regular
expat 2.1.1 packages, but the cross-development packages maintained by
Yaakov are all at 2.1.0. Some appear to have 2.1.1 alternate versions available
mingw64-*-expat were updated to 2.1.1 a few days ago already.
Might I ask how you even learned that a newer version was available? The expat
project doesnât have mailing lists any more. I was contacted by one of the
upstream maintainers, which seems a bit back-channel to me.
I assume that someone who maintains so many packages has a better way to keep
on top of which packages need to be updated.
Fedora maintains an automated release detection and notification service
named Anitya, hosted at https://release-monitoring.org/. If you have a
FAS account (which is available to all, not just contributors), you can
custom-tailor a message subscription for each of your packages, or (as I
do) simply subscribe to all newly detected versions.
Alternatively, the fedmsg bus has a public JSON API; e.g. to see the
latest release of expat over the last week:
$ http get https://apps.fedoraproject.org/datagrepper/raw \
package==expat rows_per_page==1 \
| jq '.raw_messages.msg.message.project.version'
See https://apps.fedoraproject.org/datagrepper/ for details. (FWIW I
just added httpie and jq to the distro.)
In theory, it is possible to add the Cygwin distribution to that Anitya
instance and setup a service (possibly on sourceware?) which processes
the fedmsg bus to send email notifications, but I simply don't have time
to set that up right now.