<efraim>inside debian/patches/ is the old cve-2015 patch, the new one and the 2016 patch
<lfam>I wish they would consider that not everybody is part of their secret club, and thus we haven't been talking about this issue since December. They should publicly state the origin of the patch on oss-sec
<lfam>I'm sure everyone on the pre-disclosure mailing list knows how that patch was made, but the rest of us are scratching our heads
<lfam>Well, the Debian version is superior because it doesn't require 'patch -p2'
<efraim>lfam: your patch looks exactly like what I have, except I didn't rename the patches yet
<lfam>efraim: Good! I found the "re-fix CVE-2015-1283" patch in the upstream git repo, so I regenerated that patch and am commenting it now
<lfam>Well, that upstream commit doesn't apply. I guess we'll use Debian's version of the patch...
<efraim>expat 2.1.1 came out 2? months ago, they might have their patch against that
<lfam>Yeah, who knows. It looks like it was merged into master from their "fix CVE-2016-0718" branch
***frafra_ is now known as frafra
<lfam>It looks like Debian maintains their expat packaging in an SVN repo, and the HTTP interface to that repo is offline. I like to include a link to the source of a patch, but I guess it's not possible in this case
<ifur>efraim: so no one around that can fix the corruption in the git repo?