From 99fd37931c117c2842c503d623aa9749891a9203 Mon Sep 17 00:00:00 2001
From: Sebastian Pipping <sebastian@pipping.org>
Date: Tue, 12 Nov 2024 15:10:00 +0100
Subject: expat: Add 2.6.4 with security fixes + deprecate vulnerable 2.6.3
 (#47521)

---
 var/spack/repos/builtin/packages/expat/package.py | 11 ++++++++---
 1 file changed, 8 insertions(+), 3 deletions(-)

(limited to 'var')

diff --git a/var/spack/repos/builtin/packages/expat/package.py b/var/spack/repos/builtin/packages/expat/package.py
index a41d4912de..485f773a82 100644
--- a/var/spack/repos/builtin/packages/expat/package.py
+++ b/var/spack/repos/builtin/packages/expat/package.py
@@ -16,9 +16,14 @@ class Expat(AutotoolsPackage, CMakePackage):
     url = "https://github.com/libexpat/libexpat/releases/download/R_2_2_9/expat-2.2.9.tar.bz2"
 
     license("MIT")
-
-    version("2.6.3", sha256="b8baef92f328eebcf731f4d18103951c61fa8c8ec21d5ff4202fb6f2198aeb2d")
-    # deprecate all releases before 2.6.3 because of security issues
+    version("2.6.4", sha256="8dc480b796163d4436e6f1352e71800a774f73dbae213f1860b60607d2a83ada")
+    # deprecate all releases before 2.6.4 because of security issues
+    # CVE-2024-50602 (fixed in 2.6.4)
+    version(
+        "2.6.3",
+        sha256="b8baef92f328eebcf731f4d18103951c61fa8c8ec21d5ff4202fb6f2198aeb2d",
+        deprecated=True,
+    )
     # CVE-2024-45490 (fixed in 2.6.3)
     # CVE-2024-45491 (fixed in 2.6.3)
     # CVE-2024-45492 (fixed in 2.6.3)
-- 
cgit v1.2.3-70-g09d2