* [PATCH 0/1] Update harfbuzz to 1.0.6 (CVE-2016-2052)
@ 2016-01-29 6:01 Leo Famulari
2016-01-29 6:01 ` [PATCH 1/1] gnu: harfbuzz: Update to 1.0.6 [fixes CVE-2016-2052] Leo Famulari
2016-01-29 7:41 ` [PATCH 0/1] Update harfbuzz to 1.0.6 (CVE-2016-2052) Efraim Flashner
0 siblings, 2 replies; 5+ messages in thread
From: Leo Famulari @ 2016-01-29 6:01 UTC (permalink / raw)
To: guix-devel
This patch updates harfbuzz to 1.0.6, fixing CVE-2016-2052 [0].
However, 587 packages depend on harfbuzz [1]. Where should the patch be
applied?
[0]
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2052
[1]
Building the following 199 packages would ensure 388 dependent packages
are rebuilt: avidemux-2.6.10 python-pyqt-5.5 pumpa-0.9.1
owncloud-client-2.1.0 powertabeditor-2.0.0-alpha8 lxqt-session-0.9.0
lxqt-common-0.9.1 tiled-0.13.1 bitcoin-core-0.11.0 fritzing-0.9.2b
i3-wm-4.10.3 xnee-3.19 racket-6.2.1 sawfish-1.11 lxtask-0.1.6
lxrandr-0.3.0 lxappearance-0.6.1 pcmanfm-1.2.3
ruby-atoulme-antwrap-0.7.5 htsjdk-1.129 sra-tools-2.5.4 icedtea-1.13.9
arandr-0.1.8 wicd-1.7.3 gourmet-0.17.4 gajim-0.16.5 pspp-0.8.5
gpscorrelate-1.6.1.365f6e1b3f pinentry-0.9.6 xournal-0.4.8
lxterminal-0.2.0 gkrellm-2.3.5 geeqie-1.1 geda-gaf-1.8.2
dvdisaster-0.72.6 hydrogen-0.9.5.1 qsynth-0.4.0 calf-0.0.60 ir-1.3.2
gnubik-2.4.2 pcb-20140316 jalv-1.4.6 azr3-1.2.3 patchage-1.0.0
ardour-4.4 gst-plugins-ugly-1.6.1 guix-0.9.0.f888c0b scribus-1.5.0
skribilo-0.9.3 a2ps-4.14 emacs-w3m-1.4.538+0.20141022 calibre-2.48.0
orpheus-1.6 ripperx-2.8.0 emms-4.0 abcde-2.7 cereal-1.1.2 soprano-2.9.4
vmpk-0.6.2a ncmpc-0.24 mpd-mpc-0.27 mpdscribble-0.22 ncmpcpp-0.6.7
pidgin-otr-4.0.1 libdbusmenu-qt-0.9.2 libstdc++-doc-5.3.0
libstdc++-doc-4.9.3 manaplus-1.6.1.16 love-0.10.0 wayland-1.9.0
fish-2.2.0 openbox-3.5.2 gmtp-1.3.9 tuxguitar-1.2
conkeror-1.0pre1.20150730 lablgtk-2.18.3 gnubg-1.02 inklingreader-0.8
gxmessage-3.4.3 zathura-cb-0.1.4 zathura-ps-0.2.2
zathura-pdf-poppler-0.2.5 zathura-djvu-0.2.4 pavucontrol-3.0
glade-3.18.3 gnome-keyring-3.18.3 guitarix-0.34.0 devhelp-3.18.1
hexchat-2.10.1 claws-mail-3.13.2 file-roller-3.16.4
ibus-libpinyin-1.7.2 yelp-3.16.1 vte-0.36.5 d-feet-0.3.10 xfce-4.12.0
gsegrafix-1.0.6 libchamplain-0.12.12 tilda-1.3.1 gnome-terminal-3.18.2
epiphany-3.18.2 evince-3.18.1 gedit-3.18.1 shotwell-0.22.0
rhythmbox-3.2.1 gnome-session-3.18.1.2 seahorse-3.18.0
nestopia-ue-1.46.2 gamine-1.4 sfxr-1.2.1 fcitx-4.2.8.6
transmission-2.84 guile-present-0.3.0 eog-3.18.1 gnome-shell-3.18.3
gnome-themes-standard-3.18.0 totem-3.18.1 gnome-mines-3.18.2
key-mon-1.17 gnucash-2.6.9 aisleriot-3.18.2 gnumeric-1.12.24
gnome-klotski-3.18.2 xboard-4.8.0 fvwm-2.6.5
guile-emacs-20150512.41120e0 emacs-no-x-toolkit-24.5 hop-2.4.0
patches-0.0.26d7dbc emacs-debbugs-0.7 emacs-butler-0.2.4
magit-svn-2.1.1 emacs-typo-1.1 emacs-flycheck-0.23
emacs-ob-ipython-20150704.8807064693 emacs-auctex-11.88.6
emacs-undo-tree-0.6.4 abiword-2.8.6 gimp-2.8.14 wesnoth-1.12.4
mplayer-1.2 obs-0.12.4 cmus-2.7.1 mpd-0.19.10 strigi-0.7.8
gst-libav-1.6.1 guile-gnunet-0.0.383eac2 retroarch-1.2.2 audacity-2.1.0
kodi-15.2 gvfs-1.26.2 python-numexpr-2.4.4 python-statsmodels-0.6.1
python-scikit-learn-0.16.1 python-seaborn-0.5.1 python-h5py-2.4.0
python-scikit-image-0.11.3 idr-2.0.0 python-biopython-1.66
python2-ipython-3.2.1 python2-numexpr-2.4.4 libreoffice-5.0.3.2
rseqc-2.6.1 macs-2.1.0.20140616 seqmagick-0.6.1 crossmap-0.2.1
python-ipython-3.2.1 python2-statsmodels-0.6.1
python2-scikit-image-0.11.3 python2-seaborn-0.5.1 couger-1.8.2
python2-warpedlmm-0.21 deeptools-1.5.11 grit-2.0.2
pbtranscript-tofu-2.2.3.8f5467fe6 clipper-0.3.0 miso-0.5.3
asymptote-2.35 proof-general-4.2 unison-2.48.3 fastcap-2.0-18Sep92
simple-scan-3.17.4 hydra-20150407.4c0e3e4 enblend-enfuse-4.1.3
wxmaxima-15.04.0 flann-1.8.4 shogun-4.0.0 xsensors-0.70 mpv-0.15.0
gerbv-2.6.1 frescobaldi-2.18.1 solfege-3.22.2 dunst-1.1.0
synfigstudio-1.0.2 terminology-0.9.1 emotion-generic-players-1.16.0
Leo Famulari (1):
gnu: harfbuzz: Update to 1.0.6 [fixes CVE-2016-2052].
gnu/packages/gtk.scm | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
--
2.6.3
^ permalink raw reply [flat|nested] 5+ messages in thread
* [PATCH 1/1] gnu: harfbuzz: Update to 1.0.6 [fixes CVE-2016-2052].
2016-01-29 6:01 [PATCH 0/1] Update harfbuzz to 1.0.6 (CVE-2016-2052) Leo Famulari
@ 2016-01-29 6:01 ` Leo Famulari
2016-01-29 8:02 ` Mark H Weaver
2016-01-29 7:41 ` [PATCH 0/1] Update harfbuzz to 1.0.6 (CVE-2016-2052) Efraim Flashner
1 sibling, 1 reply; 5+ messages in thread
From: Leo Famulari @ 2016-01-29 6:01 UTC (permalink / raw)
To: guix-devel
* gnu/packages/gtk.scm (harfbuzz): Update to 1.0.6.
---
gnu/packages/gtk.scm | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/gnu/packages/gtk.scm b/gnu/packages/gtk.scm
index 916873b..3f92d0a 100644
--- a/gnu/packages/gtk.scm
+++ b/gnu/packages/gtk.scm
@@ -145,7 +145,7 @@ affine transformation (scale, rotation, shear, etc.).")
(define-public harfbuzz
(package
(name "harfbuzz")
- (version "1.0.5")
+ (version "1.0.6")
(source (origin
(method url-fetch)
(uri (string-append "http://www.freedesktop.org/software/"
@@ -153,7 +153,7 @@ affine transformation (scale, rotation, shear, etc.).")
version ".tar.bz2"))
(sha256
(base32
- "0h2l362qzkck5dnnj7zlz593hf1ni3k25dfaii9mbjwflp3d56ad"))))
+ "09ivk5m4y09ar4zi9r6db7gp234cy05h0ach7w22g9kqvkxsf5pn"))))
(build-system gnu-build-system)
(outputs '("out"
"bin")) ; 160K, only hb-view depend on cairo
--
2.6.3
^ permalink raw reply related [flat|nested] 5+ messages in thread
* Re: [PATCH 0/1] Update harfbuzz to 1.0.6 (CVE-2016-2052)
2016-01-29 6:01 [PATCH 0/1] Update harfbuzz to 1.0.6 (CVE-2016-2052) Leo Famulari
2016-01-29 6:01 ` [PATCH 1/1] gnu: harfbuzz: Update to 1.0.6 [fixes CVE-2016-2052] Leo Famulari
@ 2016-01-29 7:41 ` Efraim Flashner
2016-01-29 8:04 ` Leo Famulari
1 sibling, 1 reply; 5+ messages in thread
From: Efraim Flashner @ 2016-01-29 7:41 UTC (permalink / raw)
To: Leo Famulari; +Cc: guix-devel
[-- Attachment #1: Type: text/plain, Size: 897 bytes --]
On Fri, 29 Jan 2016 01:01:19 -0500
Leo Famulari <leo@famulari.name> wrote:
> This patch updates harfbuzz to 1.0.6, fixing CVE-2016-2052 [0].
>
> However, 587 packages depend on harfbuzz [1]. Where should the patch be
> applied?
>
> [0]
> https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2052
>
> [1]
> Building the following 199 packages would ensure 388 dependent packages
> are rebuilt: avidemux-2.6.10 python-pyqt-5.5 pumpa-0.9.1
[snip]
> Leo Famulari (1):
> gnu: harfbuzz: Update to 1.0.6 [fixes CVE-2016-2052].
>
> gnu/packages/gtk.scm | 4 ++--
> 1 file changed, 2 insertions(+), 2 deletions(-)
>
how about the security-updates branch?
--
Efraim Flashner <efraim@flashner.co.il> אפרים פלשנר
GPG key = A28B F40C 3E55 1372 662D 14F7 41AA E7DC CA3D 8351
Confidentiality cannot be guaranteed on emails sent or received unencrypted
[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 819 bytes --]
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: [PATCH 1/1] gnu: harfbuzz: Update to 1.0.6 [fixes CVE-2016-2052].
2016-01-29 6:01 ` [PATCH 1/1] gnu: harfbuzz: Update to 1.0.6 [fixes CVE-2016-2052] Leo Famulari
@ 2016-01-29 8:02 ` Mark H Weaver
0 siblings, 0 replies; 5+ messages in thread
From: Mark H Weaver @ 2016-01-29 8:02 UTC (permalink / raw)
To: Leo Famulari; +Cc: guix-devel
Leo Famulari <leo@famulari.name> writes:
> * gnu/packages/gtk.scm (harfbuzz): Update to 1.0.6.
I pushed this to the 'security-updates' branch.
Thanks!
Mark
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: [PATCH 0/1] Update harfbuzz to 1.0.6 (CVE-2016-2052)
2016-01-29 7:41 ` [PATCH 0/1] Update harfbuzz to 1.0.6 (CVE-2016-2052) Efraim Flashner
@ 2016-01-29 8:04 ` Leo Famulari
0 siblings, 0 replies; 5+ messages in thread
From: Leo Famulari @ 2016-01-29 8:04 UTC (permalink / raw)
To: Efraim Flashner; +Cc: guix-devel
On Fri, Jan 29, 2016 at 09:41:45AM +0200, Efraim Flashner wrote:
> On Fri, 29 Jan 2016 01:01:19 -0500
> Leo Famulari <leo@famulari.name> wrote:
>
> > This patch updates harfbuzz to 1.0.6, fixing CVE-2016-2052 [0].
> >
> > However, 587 packages depend on harfbuzz [1]. Where should the patch be
> > applied?
> >
> > [0]
> > https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2052
> >
> > [1]
> > Building the following 199 packages would ensure 388 dependent packages
> > are rebuilt: avidemux-2.6.10 python-pyqt-5.5 pumpa-0.9.1
> [snip]
> > Leo Famulari (1):
> > gnu: harfbuzz: Update to 1.0.6 [fixes CVE-2016-2052].
> >
> > gnu/packages/gtk.scm | 4 ++--
> > 1 file changed, 2 insertions(+), 2 deletions(-)
> >
>
> how about the security-updates branch?
I'm not sure of the status of the branch with respect to Hydra. That is,
is it currently building the branch? If so, is it bad to push to the
branch? I wouldn't mind a little education on this topic!
Other can feel free to push this if appropriate.
>
> --
> Efraim Flashner <efraim@flashner.co.il> אפרים פלשנר
> GPG key = A28B F40C 3E55 1372 662D 14F7 41AA E7DC CA3D 8351
> Confidentiality cannot be guaranteed on emails sent or received unencrypted
^ permalink raw reply [flat|nested] 5+ messages in thread
end of thread, other threads:[~2016-01-29 8:04 UTC | newest]
Thread overview: 5+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2016-01-29 6:01 [PATCH 0/1] Update harfbuzz to 1.0.6 (CVE-2016-2052) Leo Famulari
2016-01-29 6:01 ` [PATCH 1/1] gnu: harfbuzz: Update to 1.0.6 [fixes CVE-2016-2052] Leo Famulari
2016-01-29 8:02 ` Mark H Weaver
2016-01-29 7:41 ` [PATCH 0/1] Update harfbuzz to 1.0.6 (CVE-2016-2052) Efraim Flashner
2016-01-29 8:04 ` Leo Famulari
Code repositories for project(s) associated with this external index
https://git.savannah.gnu.org/cgit/guix.git
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.