From mboxrd@z Thu Jan 1 00:00:00 1970 From: Efraim Flashner Subject: Re: [PATCH 0/1] Update harfbuzz to 1.0.6 (CVE-2016-2052) Date: Fri, 29 Jan 2016 09:41:45 +0200 Message-ID: <20160129094145.76c50cce@debian-netbook> References: Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha512; boundary="Sig_/XRRTTSiHTmBfnWW.dVjMfQk"; protocol="application/pgp-signature" Return-path: Received: from eggs.gnu.org ([2001:4830:134:3::10]:41870) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1aP3gq-0003fh-12 for guix-devel@gnu.org; Fri, 29 Jan 2016 02:41:56 -0500 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1aP3gm-0005H7-Qb for guix-devel@gnu.org; Fri, 29 Jan 2016 02:41:55 -0500 Received: from flashner.co.il ([178.62.234.194]:46744) by eggs.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1aP3gm-0005Gr-Jj for guix-devel@gnu.org; Fri, 29 Jan 2016 02:41:52 -0500 In-Reply-To: List-Id: "Development of GNU Guix and the GNU System distribution." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: guix-devel-bounces+gcggd-guix-devel=m.gmane.org@gnu.org Sender: guix-devel-bounces+gcggd-guix-devel=m.gmane.org@gnu.org To: Leo Famulari Cc: guix-devel@gnu.org --Sig_/XRRTTSiHTmBfnWW.dVjMfQk Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable On Fri, 29 Jan 2016 01:01:19 -0500 Leo Famulari wrote: > This patch updates harfbuzz to 1.0.6, fixing CVE-2016-2052 [0]. >=20 > However, 587 packages depend on harfbuzz [1]. Where should the patch be > applied? >=20 > [0] > https://cve.mitre.org/cgi-bin/cvename.cgi?name=3DCVE-2016-2052 >=20 > [1] > Building the following 199 packages would ensure 388 dependent packages=20 > are rebuilt: avidemux-2.6.10 python-pyqt-5.5 pumpa-0.9.1=20 [snip] > Leo Famulari (1): > gnu: harfbuzz: Update to 1.0.6 [fixes CVE-2016-2052]. >=20 > gnu/packages/gtk.scm | 4 ++-- > 1 file changed, 2 insertions(+), 2 deletions(-) >=20 how about the security-updates branch? --=20 Efraim Flashner =D7=90=D7=A4=D7=A8=D7=99=D7=9D = =D7=A4=D7=9C=D7=A9=D7=A0=D7=A8 GPG key =3D A28B F40C 3E55 1372 662D 14F7 41AA E7DC CA3D 8351 Confidentiality cannot be guaranteed on emails sent or received unencrypted --Sig_/XRRTTSiHTmBfnWW.dVjMfQk Content-Type: application/pgp-signature Content-Description: OpenPGP digital signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v2 iQIcBAEBCgAGBQJWqxe5AAoJEPTB05F+rO6TQgEP/jSJpsSU844C9UMZ8fQpZm+0 SQvccynDet06+HPZ3UiMbjCBl3KMq5Zp4u11AQOdqhekYpbmRObXlfLQQoO/DpSd hHqEBaEgRI7pnYm9VuaQFLG4H+xDTtWirUgC5/yjXPJZ7icdskk1uUrM0H8GLbpc Kl+foO/lxsV6udT3sbpndCqeZ2omTLeiSB/OqOYyDMRr5owe5b4ZOURLCS51+ppM +PtPl1OJSxCwhPEpFV0RilA28dAYRZsdc2DP3c3599jvJQRIU69j7MdscAmd2QYg EgRFQfWtFHaOPybt1JZaMqiTj6D69+J5fEY/NfGkvstnOOdK76fJf6CIP0bWyawU eLZAFwmq8F1cLl5lebffX7eMhYKv58of31l+U7tI7N5lsS4q67ByRD5ClLhYg9r1 r1lY/UGwVwbqJMqoo86BJwe4KO63Ad1J42AE+4xLsVD4ru9ks89edqLytfQmSafV jdm/QhG24Tihwcu7LbFYxbL7Y4If5hS9z8YZfOawiVWDezPmoM/g1gpTUb0DuJ+6 GD6WstNX7AdcH/K10C6eRbqob1FYscigtymyK8g61pCcQWWzUJ2gr7VMjc1qlE2y TyckBVPA2e0GYWSP/LExVG7wLtJ2YhXsqrv1EEbdMUvpNI45P4geVyjVvM8b+VjN 3SAiQS0posj0anJzBxBX =WPAl -----END PGP SIGNATURE----- --Sig_/XRRTTSiHTmBfnWW.dVjMfQk--