-
-
Notifications
You must be signed in to change notification settings - Fork 13.9k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Vulnerability roundup 63: openjpeg-2.3.0: 8 advisories #57180
Comments
See also #55389 |
What a bounty of CVEs! There is a 2.3.1 patch release that seems to include most of these:
uclouvain/openjpeg#1044 , in 2.3.1.
uclouvain/openjpeg#1123 , in 2.3.1.
uclouvain/openjpeg#1126 , in 2.3.1.
uclouvain/openjpeg#1127 , not fixed upstream.
uclouvain/openjpeg#1053 , in 2.3.1.
uclouvain/openjpeg#1057 , in 2.3.1.
uclouvain/openjpeg#1059 , in 2.3.1.
uclouvain/openjpeg#1178 , not fixed upstream. So, upgrading to 2.3.1 will fix all the CVEs that are fixed upstream... But it still leaves 2 unfixed CVEs. Unfortunately openjpeg is a widely used package, marking it insecure would break a large package closure. I will send a PR to upgrade to 2.3.1 at least, but we need to decide what to do about the unfixed CVEs. |
My mistake, unstable + 19.09 + 20.03 are already on 2.3.1. So most of these are patched, and we're as patched as we can be given the status of upstream. |
@danderson I marked all but CVE-2019-6988 as solved in the initial post. That seems like the correct state. Do you agree? |
@andir CVE-2018-16376 is also not patched right now (no upstream patch). |
Asked upstream |
Closing as Nixos 19.03 is no longer supported. |
search, files
Scanned versions: nixos-19.03: 5847485. May contain false positives.
The text was updated successfully, but these errors were encountered: