From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: (qmail 115902 invoked by alias); 29 Jun 2015 15:56:21 -0000 Mailing-List: contact cygwin-apps-help@cygwin.com; run by ezmlm Precedence: bulk Sender: cygwin-apps-owner@cygwin.com List-Id: List-Subscribe: List-Archive: List-Post: List-Help: , Mail-Followup-To: cygwin-apps@cygwin.com Received: (qmail 115756 invoked by uid 89); 29 Jun 2015 15:56:19 -0000 Authentication-Results: sourceware.org; auth=none X-Virus-Found: No X-Spam-SWARE-Status: No, score=-0.5 required=5.0 tests=AWL,BAYES_20,RP_MATCHES_RCVD,SPF_PASS,T_HK_NAME_DR,UNPARSEABLE_RELAY autolearn=ham version=3.3.2 X-Spam-User: qpsmtpd, 2 recipients X-HELO: aserp1040.oracle.com Received: from aserp1040.oracle.com (HELO aserp1040.oracle.com) (141.146.126.69) by sourceware.org (qpsmtpd/0.93/v0.84-503-g423c35a) with (AES256-GCM-SHA384 encrypted) ESMTPS; Mon, 29 Jun 2015 15:56:17 +0000 Received: from aserv0021.oracle.com (aserv0021.oracle.com [141.146.126.233]) by aserp1040.oracle.com (Sentrion-MTA-4.3.2/Sentrion-MTA-4.3.2) with ESMTP id t5TFuFjF027216 (version=TLSv1 cipher=DHE-RSA-AES256-SHA bits=256 verify=OK); Mon, 29 Jun 2015 15:56:15 GMT Received: from userv0122.oracle.com (userv0122.oracle.com [156.151.31.75]) by aserv0021.oracle.com (8.13.8/8.13.8) with ESMTP id t5TFuEAB004050 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=FAIL); Mon, 29 Jun 2015 15:56:15 GMT Received: from abhmp0011.oracle.com (abhmp0011.oracle.com [141.146.116.17]) by userv0122.oracle.com (8.13.8/8.13.8) with ESMTP id t5TFuEUK032217; Mon, 29 Jun 2015 15:56:14 GMT Received: from VZELL-LAP.de.oracle.com (/10.175.205.54) by default (Oracle Beehive Gateway v4.0) with ESMTP ; Mon, 29 Jun 2015 08:56:14 -0700 To: Yaakov Selkowitz Cc: cygwin-apps@cygwin.com, "dr.volker.zell@oracle.com" Subject: Re: [SECURITY] libwmf References: <1433492253.14544.12.camel@cygwin.com> <1433796174.10576.9.camel@cygwin.com> <1435337470.11720.23.camel@cygwin.com> From: "Dr. Volker Zell" Date: Mon, 29 Jun 2015 15:56:00 -0000 In-Reply-To: <1435337470.11720.23.camel@cygwin.com> (Yaakov Selkowitz's message of "Fri, 26 Jun 2015 11:51:10 -0500") Message-ID: User-Agent: Gnus/5.1008 (Gnus v5.10.8) XEmacs/21.4.23 (cygwin32) MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-IsSubscribed: yes X-SW-Source: 2015-06/txt/msg00149.txt.bz2 >>>>> Yaakov Selkowitz writes: > On Mon, 2015-06-08 at 15:42 -0500, Yaakov Selkowitz wrote: >> On Fri, 2015-06-05 at 03:17 -0500, Yaakov Selkowitz wrote: >> > Dr. Volker, >> > >> > A security vulnerability has been made public for libwmf: >> > >> > https://bugzilla.redhat.com/show_bug.cgi?id=1227243 >> >> Actually, it's worse than that. Despite configuring with --with-sys-gd, >> libwmf is still being built with the bundled libgd (which has either an >> older or custom API) instead of the system one. Therefore, practically >> the entire patchset is required to fix all known vulnerabilities: >> >> http://pkgs.fedoraproject.org/cgit/libwmf.git/ > Are you still with us? Yes, but NO time right now (plus upcoming vacation) Ciao Volker