Il giorno mer 18 dic 2019 alle ore 22:03 Sebastian Pipping <sping@gentoo.org> ha scritto:

CMake bundles a (previously outdated and vulnerable) copy of expat so
I'm not sure if re-activating that bundle — say with a new use flag
"system-expat" — would be a good thing to resort to for breaking the
cycle, with regard to security in particular.

Pushing gently upstream to upgrade bundled expat copy would (at least temporarily) fix the issue and also benefit other use cases. Maybe they are Gentoo friendly
they also release quite often, which would fix the problem soon