This is the mail archive of the cygwin-apps mailing list for the Cygwin project.


Index Nav: [Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav: [Date Prev] [Date Next] [Thread Prev] [Thread Next]
Other format: [Raw text]

Re: [SECURITY] tiff, libpng, automake


On 2012-08-15 02:30, Yaakov (Cygwin/X) wrote:
> On Tue, 2012-08-14 at 22:05 +0200, Corinna Vinschen wrote:
>> Chuck?
>>
>> Ping 2?
>>
>> If you don't reply I guess we have to assume you're not with us
>> anymore.  Which would be too bad.
> 
> Indeed. :-(

Dito.

>> On Aug  3 09:58, Corinna Vinschen wrote:
>>> On Jul 23 16:48, Yaakov (Cygwin/X) wrote:
>>>> Chuck,
>>>>
>>>> Security vulnerabilities are accumulating for the tiff package
>>>> (CVE-2011-0192, CVE-2011-1167, CVE-2012-1173, CVE-2012-2088,
>>>> CVE-2012-2113, CVE-2012-3401).  This can be fixed by updating to
>>>> 3.9.6 and applying the four patches found here:
>>>>
>>>> http://pkgs.fedoraproject.org/gitweb/?p=libtiff.git;a=tree;h=refs/heads/f17;hb=f17
>>>>
>>>> There are also security vulnerabilities in the libpng packages
>>>> (CVE-2011-3026, CVE-2011-3048, and now CVE-2012-3386).  These need

Did you mean CVE-2011-3328? CVE-2012-3386 is for Automake, as you have
written below...

>>>> to be updated to the latest 1.4.12, 1.2.50, and 1.0.60 releases.
> 
> And now there's YA: automake1.11 needs a bump to 1.11.6 for
> CVE-2012-3386; earlier branches are also affected, but I haven't seen
> any backporting patches yet.

Regarding CVE-2012-3386 and Cygwin, does it really help? AFAIU, Cygwin
doesn't handle a malicious local user very well anyway. Or does it?

(not saying that I don't want updates or anything, I'm just adding
some perspective)

Cheers,
Peter


Index Nav: [Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav: [Date Prev] [Date Next] [Thread Prev] [Thread Next]