On Mar 16, 2016, at 2:32 PM, Yaakov Selkowitz <yselkow...@cygwin.com> wrote: > > On 2016-03-16 14:28, Warren Young wrote: >> expat 2.1.1 fixes MEDIUM-rated CVE-2015-1283. I’ve uploaded the regular >> expat 2.1.1 packages, but the cross-development packages maintained by >> Yaakov are all at 2.1.0. Some appear to have 2.1.1 alternate versions >> available > > mingw64-*-expat were updated to 2.1.1 a few days ago already.
Might I ask how you even learned that a newer version was available? The expat project doesn’t have mailing lists any more. I was contacted by one of the upstream maintainers, which seems a bit back-channel to me. I assume that someone who maintains so many packages has a better way to keep on top of which packages need to be updated.
