From e957c58a1e27b366d1ffad47d5da6773c7443949 Mon Sep 17 00:00:00 2001
From: Christoph Conrads <christoph.conrads@inria.fr>
Date: Sun, 11 Jul 2021 21:43:37 +0200
Subject: Expat: add version 2.4.0, 2.4.1; fix CVE-2013-0340 (#24669)

* Expat: add version 2.4.0, 2.4.1; fix CVE-2013-0340

fixes #24628

* E4S pipeline: update pinned Expat version
---
 var/spack/repos/builtin/packages/expat/package.py | 10 +++++++---
 1 file changed, 7 insertions(+), 3 deletions(-)

(limited to 'var')

diff --git a/var/spack/repos/builtin/packages/expat/package.py b/var/spack/repos/builtin/packages/expat/package.py
index ddc6f8bc85..799928b11a 100644
--- a/var/spack/repos/builtin/packages/expat/package.py
+++ b/var/spack/repos/builtin/packages/expat/package.py
@@ -14,9 +14,13 @@ class Expat(AutotoolsPackage):
     homepage = "https://libexpat.github.io/"
     url      = "https://github.com/libexpat/libexpat/releases/download/R_2_2_9/expat-2.2.9.tar.bz2"
 
-    version('2.3.0', sha256='f122a20eada303f904d5e0513326c5b821248f2d4d2afbf5c6f1339e511c0586')
-    version('2.2.10', sha256='b2c160f1b60e92da69de8e12333096aeb0c3bf692d41c60794de278af72135a5')
-    version('2.2.9', sha256='f1063084dc4302a427dabcca499c8312b3a32a29b7d2506653ecc8f950a9a237')
+    version('2.4.1', sha256='2f9b6a580b94577b150a7d5617ad4643a4301a6616ff459307df3e225bcfbf40')
+    version('2.4.0', sha256='8c59142ef88913bc0a8b6e4c58970c034210ca552e6271f52f6cd6cce3708424')
+    # deprecate all releases before 2.4.0 because of CVE-2013-0340
+    # ("billion laughs attack")
+    version('2.3.0', sha256='f122a20eada303f904d5e0513326c5b821248f2d4d2afbf5c6f1339e511c0586', deprecated=True)
+    version('2.2.10', sha256='b2c160f1b60e92da69de8e12333096aeb0c3bf692d41c60794de278af72135a5', deprecated=True)
+    version('2.2.9', sha256='f1063084dc4302a427dabcca499c8312b3a32a29b7d2506653ecc8f950a9a237', deprecated=True)
     version('2.2.6', sha256='17b43c2716d521369f82fc2dc70f359860e90fa440bea65b3b85f0b246ea81f2', deprecated=True)
     version('2.2.5', sha256='d9dc32efba7e74f788fcc4f212a43216fc37cf5f23f4c2339664d473353aedf6', deprecated=True)
     version('2.2.2', sha256='4376911fcf81a23ebd821bbabc26fd933f3ac74833f74924342c29aad2c86046', deprecated=True)
-- 
cgit v1.2.3-70-g09d2