Source: xmlrpc-c Version: 1.59.03-7 Severity: important Tags: upstream security X-Debbugs-Cc: [email protected],[email protected]
Hi Triggered by the oss-security post from the expat upstream maintainer: https://www.openwall.com/lists/oss-security/2025/04/09/4 It might be worth to use similar patch to make xmlrpc-c switch to use the system expat instead of the internal copy. Ideally usptream would even just remove the upstream embedded source but from what I read in the above there is no interest in that for now. https://raw.githubusercontent.com/gentoo/gentoo/61b6130343a41b49da1ffe7376ab5d2077a37411/dev-libs/xmlrpc-c/files/xmlrpc-c-1.59.03-use-system-expat.patch is the patch by Sebastian Pipping to use the system libexpat. Regards, Salvatore
