[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
RE: [URGENT] Confirmation of Fixes for CVE's in 2.12.1
|
From: |
Arenas, Aaron |
|
Subject: |
RE: [URGENT] Confirmation of Fixes for CVE's in 2.12.1 |
|
Date: |
Thu, 30 Jun 2022 04:48:04 +0000 |
Hello Werner,
Thank you for the insight about the "..." and tags.
I arrived at the conclusion because I was expecting a mention of CVE-2022-27404
and the change that fixed it. But it wasn't there. Looking at the docs/CHANGES,
there was a mention of a CVE-2018-25032, which made me think that mitigate
CVE's were ones that were mention. So if the CVE wasn't there, it hasn't been
mitigated yet. Since CVE-2022-27404 wasn't listed, I assumed the worst that the
fix hadn't been pulled into the release for a reason unknown to me. So I had to
asked to get clarification. With the insight you provided with the version
tagging, it provided clarity and disproved my assumption that fix wasn't in
version 2.12.1 when in reality it was.
Hope that helps and thanks again!
Regards,
Aaron
-----Original Message-----
From: Werner LEMBERG <wl@gnu.org>
Sent: Wednesday, June 29, 2022 9:22 PM
To: Arenas, Aaron <aaron.arenas@intel.com>
Cc: freetype@nongnu.org
Subject: Re: [URGENT] Confirmation of Fixes for CVE's in 2.12.1
> Can you confirm which or if all the following fixes/patches/commits
> that resolve issues and CVE's below are incorporate into latest
> available version, 2.12.1? [...]
They are, because...
> I see that version 2.12.1 was release 1 month ago [...] and that
> these fixes were committed 3 months ago.
... exactly of that. We don't maintain any other branch except 'master'.
> I would have expected the fixes to be incorporated. But it's unclear
> based results of code scan and changelog.
How did you come to this 'unclearl' conclusion? If you follow the links to the
gitlab instance, just press the '...' button next to 'master', and you can
immediately see the affected version tags.
Werner