From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <bug-guix-bounces+larch=yhetil.org@gnu.org>
Received: from mp2 ([2001:41d0:2:4a6f::])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits))
	by ms11 with LMTPS
	id sCQBKjS1y142YAAA0tVLHw
	(envelope-from <bug-guix-bounces+larch=yhetil.org@gnu.org>)
	for <larch@yhetil.org>; Mon, 25 May 2020 12:08:20 +0000
Received: from aspmx1.migadu.com ([2001:41d0:2:4a6f::])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits))
	by mp2 with LMTPS
	id EIPdJTS1y17GYwAAB5/wlQ
	(envelope-from <bug-guix-bounces+larch=yhetil.org@gnu.org>)
	for <larch@yhetil.org>; Mon, 25 May 2020 12:08:20 +0000
Received: from lists.gnu.org (lists.gnu.org [209.51.188.17])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by aspmx1.migadu.com (Postfix) with ESMTPS id 145FD9403EC
	for <larch@yhetil.org>; Mon, 25 May 2020 12:08:20 +0000 (UTC)
Received: from localhost ([::1]:49738 helo=lists1p.gnu.org)
	by lists.gnu.org with esmtp (Exim 4.90_1)
	(envelope-from <bug-guix-bounces+larch=yhetil.org@gnu.org>)
	id 1jdBtz-0003UQ-3n
	for larch@yhetil.org; Mon, 25 May 2020 08:08:19 -0400
Received: from eggs.gnu.org ([2001:470:142:3::10]:34970)
 by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <Debian-debbugs@debbugs.gnu.org>)
 id 1jdBti-0003KN-T8
 for bug-guix@gnu.org; Mon, 25 May 2020 08:08:02 -0400
Received: from debbugs.gnu.org ([209.51.188.43]:56783)
 by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128)
 (Exim 4.90_1) (envelope-from <Debian-debbugs@debbugs.gnu.org>)
 id 1jdBti-0008Py-Jw
 for bug-guix@gnu.org; Mon, 25 May 2020 08:08:02 -0400
Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84_2)
 (envelope-from <Debian-debbugs@debbugs.gnu.org>) id 1jdBti-0006Gy-D4
 for bug-guix@gnu.org; Mon, 25 May 2020 08:08:02 -0400
X-Loop: help-debbugs@gnu.org
Subject: bug#41525: CVE-2020-12762: json-c
Resent-From: Lars-Dominik Braun <lars@6xq.net>
Original-Sender: "Debbugs-submit" <debbugs-submit-bounces@debbugs.gnu.org>
Resent-CC: bug-guix@gnu.org
Resent-Date: Mon, 25 May 2020 12:08:02 +0000
Resent-Message-ID: <handler.41525.B.159040842224027@debbugs.gnu.org>
Resent-Sender: help-debbugs@gnu.org
X-GNU-PR-Message: report 41525
X-GNU-PR-Package: guix
X-GNU-PR-Keywords: 
To: 41525@debbugs.gnu.org
X-Debbugs-Original-To: bug-guix@gnu.org
Received: via spool by submit@debbugs.gnu.org id=B.159040842224027
 (code B ref -1); Mon, 25 May 2020 12:08:02 +0000
Received: (at submit) by debbugs.gnu.org; 25 May 2020 12:07:02 +0000
Received: from localhost ([127.0.0.1]:40096 helo=debbugs.gnu.org)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <debbugs-submit-bounces@debbugs.gnu.org>)
 id 1jdBsj-0006FS-JV
 for submit@debbugs.gnu.org; Mon, 25 May 2020 08:07:01 -0400
Received: from lists.gnu.org ([209.51.188.17]:51560)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <lars@6xq.net>) id 1jdBsh-0006FE-LO
 for submit@debbugs.gnu.org; Mon, 25 May 2020 08:07:00 -0400
Received: from eggs.gnu.org ([2001:470:142:3::10]:34840)
 by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <lars@6xq.net>) id 1jdBsh-000324-Hl
 for bug-guix@gnu.org; Mon, 25 May 2020 08:06:59 -0400
Received: from luma.6xq.net ([78.47.253.203]:60382)
 by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <lars@6xq.net>) id 1jdBsf-0008Iv-KN
 for bug-guix@gnu.org; Mon, 25 May 2020 08:06:59 -0400
Received: from localhost
 (dynamic-2a01-0c23-848e-0800-22ea-8a07-c872-a850.c23.pool.telefonica.de
 [IPv6:2a01:c23:848e:800:22ea:8a07:c872:a850])
 by luma.6xq.net (Postfix) with ESMTPSA id 5BDF9C33E7
 for <bug-guix@gnu.org>; Mon, 25 May 2020 14:06:48 +0200 (CEST)
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=6xq.net; s=20120712;
 t=1590408408; bh=HZ98JDgQS1rMmBCn0prqBmXGEku0AUqucWGPnW3kIe8=;
 h=Date:From:To:Subject:From;
 b=UygT1eZI82T6Xe93U3IMOsVxYGwjWLkdAhYNyjqv1PNrC7RA79i4va0A6lxhxw5LH
 Taby6LY6PqPmwzgsKnnMrpZ1k9MtOdGkTL8GlUUg6FS9/ffxeiXJPiRGleUnWNvSGl
 O4jjsNB9m7FyA0tWSO7Z4ROakIV9RamgLxwYfG04=
Date: Mon, 25 May 2020 14:06:47 +0200
From: Lars-Dominik Braun <lars@6xq.net>
Message-ID: <20200525120647.GA1428@noor.fritz.box>
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Disposition: inline
Content-Transfer-Encoding: 8bit
Received-SPF: pass client-ip=78.47.253.203; envelope-from=lars@6xq.net;
 helo=luma.6xq.net
X-detected-operating-system: by eggs.gnu.org: First seen = 2020/05/25 08:06:48
X-ACL-Warn: Detected OS   = Linux 3.11 and newer [fuzzy]
X-Spam_score_int: -20
X-Spam_score: -2.1
X-Spam_bar: --
X-Spam_report: (-2.1 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1,
 DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1,
 RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001,
 URIBL_BLOCKED=0.001 autolearn=_AUTOLEARN
X-Spam_action: no action
X-Spam-Score: -1.4 (-)
X-BeenThere: debbugs-submit@debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
X-Spam-Score: -2.4 (--)
X-BeenThere: bug-guix@gnu.org
List-Id: Bug reports for GNU Guix <bug-guix.gnu.org>
List-Unsubscribe: <https://lists.gnu.org/mailman/options/bug-guix>,
 <mailto:bug-guix-request@gnu.org?subject=unsubscribe>
List-Archive: <https://lists.gnu.org/archive/html/bug-guix>
List-Post: <mailto:bug-guix@gnu.org>
List-Help: <mailto:bug-guix-request@gnu.org?subject=help>
List-Subscribe: <https://lists.gnu.org/mailman/listinfo/bug-guix>,
 <mailto:bug-guix-request@gnu.org?subject=subscribe>
Errors-To: bug-guix-bounces+larch=yhetil.org@gnu.org
Sender: "bug-Guix" <bug-guix-bounces+larch=yhetil.org@gnu.org>
X-Scanner: scn0
Authentication-Results: aspmx1.migadu.com;
	dkim=fail (rsa verify failed) header.d=6xq.net header.s=20120712 header.b=UygT1eZI;
	dmarc=none;
	spf=pass (aspmx1.migadu.com: domain of bug-guix-bounces@gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=bug-guix-bounces@gnu.org
X-Spam-Score: -0.01
X-TUID: IoStu8R6Jwrx

Hi,

our package json-c is vulnerable to CVE-2020-12762[1]. Be careful when
applying the “fix”, since it broke a lot of packages on Ubuntu and
Gentoo[2] in the past week.

Lars

[1] https://nvd.nist.gov/vuln/detail/CVE-2020-12762
[2] https://bugs.gentoo.org/722150