[FFe] Sync expat 2.4.1-1 (main) from Debian experimental (main)

Per our discussion in IRC given where we are in the release cycle this would require a Feature Freeze Exception.

This has quite an impact with 264 reverse-depends, so does this security issue.

Ok, looking at the upstream changelog, I don't see any feature braking changes. One thing I'm worried about is the timing and the huge list of reverse-depends. This is not changing the SONAME or starting a transition, right? Asking since the CVE fix seems to actually be quite involving. And I wouldn't want us to get too much work right before Beta.

Thank you for taking a look.

There is *no* SONAME bump, ABI break or such. The newly introduced API is part of the CVE fix.

Ok, hope we'll be able to get this migrating soon, since there might be quite a lot of ADT tests started from this one. Please be sure to shepherd it into the release pocket ASAP! +1

This bug was fixed in the package expat - 2.4.1-2
Sponsored for Rico Tzschichholz (ricotz)

---------------
expat (2.4.1-2) unstable; urgency=medium

  * Upload to Sid.

 -- Laszlo Boszormenyi (GCS) <email address hidden> Thu, 09 Sep 2021 21:26:21 +0200

expat (2.4.1-1) experimental; urgency=high

  * New upstream release:
    - fix CVE-2013-0340: protect against billion laughs attacks
      (denial-of-service; flavors targeting CPU time or RAM or both,
      leveraging general entities or parameter entities or both).
  * Update libexpat1 symbols.

 -- Laszlo Boszormenyi (GCS) <email address hidden> Mon, 24 May 2021 10:14:11 +0200