I think this just requires us to update Simple Pie. Here is the fix (I think). simplepie/simplepie#458

Joomla is using a very old version (1.3.1)
@HLeithner can this be updated? I see it is set in composer to use that specific version

It seams version 1.5 is the last version supporting PHP 5.3 (at least they removed testing in 1.5.1).
Later version removed testing vor php 5.4 and 5.5, Version 1.4.3 is the version version including the patch, so I would suggest to upgrade to 1.4.3.

Joomla core seams not to use this at all and has it deprecated.

Does our policy say anything against this?

George purposefully didn't upgrade past 1.3.1 when converting the library to use Composer because there were no changelogs or other resources available to determine compatibility issues in newer versions of the library. So before someone goes and blindly runs a composer update they need to either find appropriate changelogs and release notes or do a manual review of the diff between 1.3.1 and whatever version is upgraded to.

so backporting the fix would be a quick solution but I have seen there is also a php 7.4 combat fix in 1.5.3.

Please don't start modifying files in libraries/vendor.

I'm not planing to, only to find a solution... so a really quick look showed changes in the hashing function that would return different hashes.

At least the demo's didn't changed for 7 years. Anyway I will take a closer look but that will take sometime. If anyone else is welcome to do it.

Whats your suggestion if we find something incompatible to our version?

Either don't touch it because it's a third party library and the integration is deprecated anyway (nobody bothered updating MooTools after it was deprecated) or if you really feel that compelled to make changes then fork the library, make the changes, and change Joomla to use that forked repo as the install source (as that's the only solution that prevents unwanted revert of those changes anyway).

So won't fix is your suggestion then?

If you can't safely upgrade to a more recent version then yes.

The integration might be deprecated but is it really right to ship with an outdated library that 3pd are using

If it can't be safely upgraded then the better option is to not upgrade it. Same theoretical problem with any other external dependency.

@HLeithner anything happening here?

Since I'm not planing to fork simplepie and it's unused in core I would suggest that a extension developer upgrade include the version he/she needs.

If someone like to fork simplepie and maintain it for php 5.3 to php 8.1 I would include it in Joomla! but at this time I see here a won't fix.

Won't except someone is willing to fork it to joomla-backports and maintain it.