From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: (qmail 34488 invoked by alias); 10 Jul 2015 05:43:29 -0000 Mailing-List: contact cygwin-apps-help@cygwin.com; run by ezmlm Precedence: bulk Sender: cygwin-apps-owner@cygwin.com List-Id: List-Subscribe: List-Archive: List-Post: List-Help: , Mail-Followup-To: cygwin-apps@cygwin.com Received: (qmail 34459 invoked by uid 89); 10 Jul 2015 05:43:27 -0000 Authentication-Results: sourceware.org; auth=none X-Virus-Found: No X-Spam-SWARE-Status: No, score=-0.1 required=5.0 tests=AWL,BAYES_50,RP_MATCHES_RCVD,SPF_PASS,T_HK_NAME_DR,UNPARSEABLE_RELAY autolearn=ham version=3.3.2 X-Spam-User: qpsmtpd, 2 recipients X-HELO: aserp1040.oracle.com Received: from aserp1040.oracle.com (HELO aserp1040.oracle.com) (141.146.126.69) by sourceware.org (qpsmtpd/0.93/v0.84-503-g423c35a) with (AES256-GCM-SHA384 encrypted) ESMTPS; Fri, 10 Jul 2015 05:43:17 +0000 Received: from userv0022.oracle.com (userv0022.oracle.com [156.151.31.74]) by aserp1040.oracle.com (Sentrion-MTA-4.3.2/Sentrion-MTA-4.3.2) with ESMTP id t6A5hEHq004134 (version=TLSv1 cipher=DHE-RSA-AES256-SHA bits=256 verify=OK); Fri, 10 Jul 2015 05:43:15 GMT Received: from aserv0122.oracle.com (aserv0122.oracle.com [141.146.126.236]) by userv0022.oracle.com (8.13.8/8.13.8) with ESMTP id t6A5hE2G011527 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=FAIL); Fri, 10 Jul 2015 05:43:14 GMT Received: from abhmp0013.oracle.com (abhmp0013.oracle.com [141.146.116.19]) by aserv0122.oracle.com (8.13.8/8.13.8) with ESMTP id t6A5h8vE010748; Fri, 10 Jul 2015 05:43:11 GMT Received: from VZELL-LAP.de.oracle.com (/10.165.119.63) by default (Oracle Beehive Gateway v4.0) with ESMTP ; Thu, 09 Jul 2015 22:43:07 -0700 To: Yaakov Selkowitz Cc: cygwin-apps@cygwin.com, "Dr. Volker Zell" Subject: Re: [SECURITY] libwmf References: <1433492253.14544.12.camel@cygwin.com> <1433796174.10576.9.camel@cygwin.com> <1435337470.11720.23.camel@cygwin.com> <1436472549.7208.46.camel@cygwin.com> From: "Dr. Volker Zell" Date: Fri, 10 Jul 2015 05:43:00 -0000 In-Reply-To: <1436472549.7208.46.camel@cygwin.com> (Yaakov Selkowitz's message of "Thu, 09 Jul 2015 15:09:09 -0500") Message-ID: User-Agent: Gnus/5.1008 (Gnus v5.10.8) XEmacs/21.4.23 (cygwin32) MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-IsSubscribed: yes X-SW-Source: 2015-07/txt/msg00035.txt.bz2 >>>>> Yaakov Selkowitz writes: > On Mon, 2015-06-29 at 17:56 +0200, Dr. Volker Zell wrote: >> >>>>> Yaakov Selkowitz writes: >> > On Mon, 2015-06-08 at 15:42 -0500, Yaakov Selkowitz wrote: >> >> On Fri, 2015-06-05 at 03:17 -0500, Yaakov Selkowitz wrote: >> >> > Dr. Volker, >> >> > >> >> > A security vulnerability has been made public for libwmf: >> >> > >> >> > https://bugzilla.redhat.com/show_bug.cgi?id=1227243 >> >> >> >> Actually, it's worse than that. Despite configuring with --with-sys-gd, >> >> libwmf is still being built with the bundled libgd (which has either an >> >> older or custom API) instead of the system one. Therefore, practically >> >> the entire patchset is required to fix all known vulnerabilities: >> >> >> >> http://pkgs.fedoraproject.org/cgit/libwmf.git/ >> >> > Are you still with us? >> >> Yes, but NO time right now (plus upcoming vacation) > Understood, I've uploaded 0.2.8.4-15 with the complete patchset. Thanks > BTW, tzcode has been a bit neglected as of late, and it's the sort of > package that really needs to be kept timely (forgive the pun). Would > you mind if we took over maintainership? Just go ahead... > -- > Yaakov Ciao Volker