mention that expat may delete vulnerable releases

chapter03/introduction.xml

@@ -14,10 +14,11 @@
   order to build a basic Linux system. The listed version numbers correspond to
   versions of the software that are known to work, and this book is based on
   their use. We highly recommend against using different versions because the build
-  commands for one version may not work with a different version. The newest package
+  commands for one version may not work with a different version, unless the
-  versions may also have problems that require work-arounds. These work-arounds
+  different version is specified by a LFS errata or security advisory.
-  will be developed and stabilized in the development version of the
+  The newest package versions may also have problems that require
-  book.</para>
+  work-arounds. These work-arounds will be developed and stabilized in the
+  development version of the book.</para>
 
   <para>For some packages, the release tarball and the (Git or SVN)
   repository snapshot tarball for this release may be published with

chapter03/packages.xml

@@ -173,6 +173,15 @@
         <para>Home page: <ulink url="&expat-home;"/></para>
         <para>Download: <ulink url="&expat-url;"/></para>
         <para>MD5 sum: <literal>&expat-md5;</literal></para>
+        <note>
+          <para>The upstream may remove tarballs of the specific releases of
+          <application>Expat</application> when these releases contain a
+          security vulnerability.  You should refer to
+          <ulink url='&lfs-root;lfs/advisories/'>LFS security advisories</ulink>
+          to figure out which version (with the vulnerability fixed) should
+          be used.  You may download the vulnerable version from a mirror,
+          but it's not recommended.</para>
+        </note>
       </listitem>
     </varlistentry>