Re: Bug#1102554: xmlrpc-c: bundles a (very old and) vulnerable copy of libexpat
PS: I reopened the old php bug.
The same old patch still apply => remove 1 line from debian/control{.in}
$ bts tag 691755 -wontfix
$ bts unarchive 871826
$ bts reassign 871826 src:php8.4
$ bts retitle 871826 php8.4: Please remove unused libxmltok1-dev from
Build-Depends
$ bts reopen 871826
$ bts severity 871826 important
> > src:libxmltok is expat1 with a different name.
> > CVE-2021-46143 was fixed in trixie, other expat CVEs need triaging.
> > php8.4 has a (stale?) build dependency on libxmltok1-dev.
> >
> > > Regards,
> > > Salvatore
> >
> > cu
> > Adrian
Reply to: