* glib@2.62.6 is vulnerable to CVE-2021-27218 and CVE-2021-27219
@ 2021-03-10 23:44 Léo Le Bouter
2021-03-11 8:28 ` Mark H Weaver
0 siblings, 1 reply; 4+ messages in thread
From: Léo Le Bouter @ 2021-03-10 23:44 UTC (permalink / raw)
To: guix-devel
[-- Attachment #1: Type: text/plain, Size: 507 bytes --]
Upstream does not provide fixes for the 2.62.x series so we need to
backport ourselves.
I would rather switch to upstream-supported version (2.66.x or later)
as backporting patches does not appear sustainable for us, we already
have enough on our plate.
See:
- https://gitlab.gnome.org/GNOME/glib/-/merge_requests/1942 (CVE-2021-
27218)
- https://gitlab.gnome.org/GNOME/glib/-/merge_requests/1944 (CVE-2021-
27218)
- https://gitlab.gnome.org/GNOME/glib/-/issues/2319 (CVE-2021-27219)
Léo
[-- Attachment #2: This is a digitally signed message part --]
[-- Type: application/pgp-signature, Size: 833 bytes --]
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: glib@2.62.6 is vulnerable to CVE-2021-27218 and CVE-2021-27219
2021-03-10 23:44 glib@2.62.6 is vulnerable to CVE-2021-27218 and CVE-2021-27219 Léo Le Bouter
@ 2021-03-11 8:28 ` Mark H Weaver
2021-03-11 11:23 ` Mark H Weaver
0 siblings, 1 reply; 4+ messages in thread
From: Mark H Weaver @ 2021-03-11 8:28 UTC (permalink / raw)
To: Léo Le Bouter, guix-devel
Hi Léo,
Thanks for bringing this to our attention.
Léo Le Bouter <lle-bout@zaclys.net> writes:
> Upstream does not provide fixes for the 2.62.x series so we need to
> backport ourselves.
One does not follow from the other. Besides upstream, there exist other
competent organizations (such as Debian, Red Hat, and Ubuntu) that
provide security support for their stable OS releases, and publish
backported fixes as part of that work.
> I would rather switch to upstream-supported version (2.66.x or later)
> as backporting patches does not appear sustainable for us, we already
> have enough on our plate.
As I wrote in another thread: I'll backport the fixes for CVE-2021-27218
and CVE-2021-27219 to our version of Glib, based on the backports
already published by Ubuntu for Glib 2.56.4 and 2.64.4.
Regards,
Mark
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: glib@2.62.6 is vulnerable to CVE-2021-27218 and CVE-2021-27219
2021-03-11 8:28 ` Mark H Weaver
@ 2021-03-11 11:23 ` Mark H Weaver
2021-03-11 11:46 ` Léo Le Bouter
0 siblings, 1 reply; 4+ messages in thread
From: Mark H Weaver @ 2021-03-11 11:23 UTC (permalink / raw)
To: Léo Le Bouter, guix-devel
Mark H Weaver <mhw@netris.org> writes:
> As I wrote in another thread: I'll backport the fixes for CVE-2021-27218
> and CVE-2021-27219 to our version of Glib, based on the backports
> already published by Ubuntu for Glib 2.56.4 and 2.64.4.
Done in commit 21b3b755151028647081fe96d2992b3743531d71 on the 'master'
branch.
Mark
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: glib@2.62.6 is vulnerable to CVE-2021-27218 and CVE-2021-27219
2021-03-11 11:23 ` Mark H Weaver
@ 2021-03-11 11:46 ` Léo Le Bouter
0 siblings, 0 replies; 4+ messages in thread
From: Léo Le Bouter @ 2021-03-11 11:46 UTC (permalink / raw)
To: Mark H Weaver, guix-devel
[-- Attachment #1: Type: text/plain, Size: 444 bytes --]
On Thu, 2021-03-11 at 06:23 -0500, Mark H Weaver wrote:
> Mark H Weaver <mhw@netris.org> writes:
>
> > As I wrote in another thread: I'll backport the fixes for CVE-2021-
> > 27218
> > and CVE-2021-27219 to our version of Glib, based on the backports
> > already published by Ubuntu for Glib 2.56.4 and 2.64.4.
>
> Done in commit 21b3b755151028647081fe96d2992b3743531d71 on the
> 'master'
> branch.
>
> Mark
Thank you!
[-- Attachment #2: This is a digitally signed message part --]
[-- Type: application/pgp-signature, Size: 833 bytes --]
^ permalink raw reply [flat|nested] 4+ messages in thread
end of thread, other threads:[~2021-03-11 11:47 UTC | newest]
Thread overview: 4+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2021-03-10 23:44 glib@2.62.6 is vulnerable to CVE-2021-27218 and CVE-2021-27219 Léo Le Bouter
2021-03-11 8:28 ` Mark H Weaver
2021-03-11 11:23 ` Mark H Weaver
2021-03-11 11:46 ` Léo Le Bouter
Code repositories for project(s) associated with this public inbox
https://git.savannah.gnu.org/cgit/guix.git
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).