From mboxrd@z Thu Jan  1 00:00:00 1970
From: Efraim Flashner <efraim@flashner.co.il>
Subject: Re: [PATCH 0/1] Update harfbuzz to 1.0.6 (CVE-2016-2052)
Date: Fri, 29 Jan 2016 09:41:45 +0200
Message-ID: <20160129094145.76c50cce@debian-netbook>
References: <cover.1454047197.git.leo@famulari.name>
Mime-Version: 1.0
Content-Type: multipart/signed; micalg=pgp-sha512;
	boundary="Sig_/XRRTTSiHTmBfnWW.dVjMfQk";
	protocol="application/pgp-signature"
Return-path: <guix-devel-bounces+gcggd-guix-devel=m.gmane.org@gnu.org>
Received: from eggs.gnu.org ([2001:4830:134:3::10]:41870)
	by lists.gnu.org with esmtp (Exim 4.71)
	(envelope-from <efraim@flashner.co.il>) id 1aP3gq-0003fh-12
	for guix-devel@gnu.org; Fri, 29 Jan 2016 02:41:56 -0500
Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71)
	(envelope-from <efraim@flashner.co.il>) id 1aP3gm-0005H7-Qb
	for guix-devel@gnu.org; Fri, 29 Jan 2016 02:41:55 -0500
Received: from flashner.co.il ([178.62.234.194]:46744)
	by eggs.gnu.org with esmtp (Exim 4.71)
	(envelope-from <efraim@flashner.co.il>) id 1aP3gm-0005Gr-Jj
	for guix-devel@gnu.org; Fri, 29 Jan 2016 02:41:52 -0500
In-Reply-To: <cover.1454047197.git.leo@famulari.name>
List-Id: "Development of GNU Guix and the GNU System distribution."
	<guix-devel.gnu.org>
List-Unsubscribe: <https://lists.gnu.org/mailman/options/guix-devel>,
	<mailto:guix-devel-request@gnu.org?subject=unsubscribe>
List-Archive: <http://lists.gnu.org/archive/html/guix-devel>
List-Post: <mailto:guix-devel@gnu.org>
List-Help: <mailto:guix-devel-request@gnu.org?subject=help>
List-Subscribe: <https://lists.gnu.org/mailman/listinfo/guix-devel>,
	<mailto:guix-devel-request@gnu.org?subject=subscribe>
Errors-To: guix-devel-bounces+gcggd-guix-devel=m.gmane.org@gnu.org
Sender: guix-devel-bounces+gcggd-guix-devel=m.gmane.org@gnu.org
To: Leo Famulari <leo@famulari.name>
Cc: guix-devel@gnu.org

--Sig_/XRRTTSiHTmBfnWW.dVjMfQk
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: quoted-printable

On Fri, 29 Jan 2016 01:01:19 -0500
Leo Famulari <leo@famulari.name> wrote:

> This patch updates harfbuzz to 1.0.6, fixing CVE-2016-2052 [0].
>=20
> However, 587 packages depend on harfbuzz [1]. Where should the patch be
> applied?
>=20
> [0]
> https://cve.mitre.org/cgi-bin/cvename.cgi?name=3DCVE-2016-2052
>=20
> [1]
> Building the following 199 packages would ensure 388 dependent packages=20
> are rebuilt: avidemux-2.6.10 python-pyqt-5.5 pumpa-0.9.1=20
[snip]
> Leo Famulari (1):
>   gnu: harfbuzz: Update to 1.0.6 [fixes CVE-2016-2052].
>=20
>  gnu/packages/gtk.scm | 4 ++--
>  1 file changed, 2 insertions(+), 2 deletions(-)
>=20

how about the security-updates branch?

--=20
Efraim Flashner   <efraim@flashner.co.il>   =D7=90=D7=A4=D7=A8=D7=99=D7=9D =
=D7=A4=D7=9C=D7=A9=D7=A0=D7=A8
GPG key =3D A28B F40C 3E55 1372 662D  14F7 41AA E7DC CA3D 8351
Confidentiality cannot be guaranteed on emails sent or received unencrypted

--Sig_/XRRTTSiHTmBfnWW.dVjMfQk
Content-Type: application/pgp-signature
Content-Description: OpenPGP digital signature

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2

iQIcBAEBCgAGBQJWqxe5AAoJEPTB05F+rO6TQgEP/jSJpsSU844C9UMZ8fQpZm+0
SQvccynDet06+HPZ3UiMbjCBl3KMq5Zp4u11AQOdqhekYpbmRObXlfLQQoO/DpSd
hHqEBaEgRI7pnYm9VuaQFLG4H+xDTtWirUgC5/yjXPJZ7icdskk1uUrM0H8GLbpc
Kl+foO/lxsV6udT3sbpndCqeZ2omTLeiSB/OqOYyDMRr5owe5b4ZOURLCS51+ppM
+PtPl1OJSxCwhPEpFV0RilA28dAYRZsdc2DP3c3599jvJQRIU69j7MdscAmd2QYg
EgRFQfWtFHaOPybt1JZaMqiTj6D69+J5fEY/NfGkvstnOOdK76fJf6CIP0bWyawU
eLZAFwmq8F1cLl5lebffX7eMhYKv58of31l+U7tI7N5lsS4q67ByRD5ClLhYg9r1
r1lY/UGwVwbqJMqoo86BJwe4KO63Ad1J42AE+4xLsVD4ru9ks89edqLytfQmSafV
jdm/QhG24Tihwcu7LbFYxbL7Y4If5hS9z8YZfOawiVWDezPmoM/g1gpTUb0DuJ+6
GD6WstNX7AdcH/K10C6eRbqob1FYscigtymyK8g61pCcQWWzUJ2gr7VMjc1qlE2y
TyckBVPA2e0GYWSP/LExVG7wLtJ2YhXsqrv1EEbdMUvpNI45P4geVyjVvM8b+VjN
3SAiQS0posj0anJzBxBX
=WPAl
-----END PGP SIGNATURE-----

--Sig_/XRRTTSiHTmBfnWW.dVjMfQk--