mention that expat may delete vulnerable releases

author: Xi Ruoyao <xry111@mengyan1223.wang> 2022-02-25 12:10:04 +0800
committer: Xi Ruoyao <xry111@mengyan1223.wang> 2022-02-25 12:10:04 +0800
commit: b0a6b0cedba1c78a27a8e3affc079673953c3901 (patch)
tree: 5e81908e077f13f88a44ed69ee4e17f62d4748ab /chapter03/packages.xml
parent: ba2dc1b6a71e75615b103963349fbdf2727e3672 (diff)
1 files changed, 9 insertions, 0 deletions
diff --git a/chapter03/packages.xml b/chapter03/packages.xml
index 171daec75..67adc3e31 100644
--- a/chapter03/packages.xml
+++ b/chapter03/packages.xml
@@ -173,6 +173,15 @@
         <para>Home page: <ulink url="&expat-home;"/></para>
         <para>Download: <ulink url="&expat-url;"/></para>
         <para>MD5 sum: <literal>&expat-md5;</literal></para>
+        <note>
+          <para>The upstream may remove tarballs of the specific releases of
+          <application>Expat</application> when these releases contain a
+          security vulnerability.  You should refer to
+          <ulink url='&lfs-root;lfs/advisories/'>LFS security advisories</ulink>
+          to figure out which version (with the vulnerability fixed) should
+          be used.  You may download the vulnerable version from a mirror,
+          but it's not recommended.</para>
+        </note>
       </listitem>
     </varlistentry>
author	Xi Ruoyao <xry111@mengyan1223.wang>	2022-02-25 12:10:04 +0800
committer	Xi Ruoyao <xry111@mengyan1223.wang>	2022-02-25 12:10:04 +0800
commit	b0a6b0cedba1c78a27a8e3affc079673953c3901 (patch)
tree	5e81908e077f13f88a44ed69ee4e17f62d4748ab /chapter03/packages.xml
parent	ba2dc1b6a71e75615b103963349fbdf2727e3672 (diff)