Hi Su, Thank you so much for clarifying. Do you have an estimate on the timeframe for release of 4.5.0? Thanks, ellen
From: Sulau <su...@freenet.de> Sent: Wednesday, October 26, 2022 4:51 PM To: tiff@lists.osgeo.org Cc: Ellen Johnson <ell...@mathworks.com> Subject: AW: [Tiff] clarification on the fix status for new CVE-2022-3570? Hi Ellen, issues 381 and 386 are fixed and related MR is merged into the master branch one week ago. So they will probably be released with next version 4.5.0 Regards, Su Von: Tiff [mailto:tiff-boun...@lists.osgeo.org] Im Auftrag von Ellen Johnson Gesendet: Montag, 24. Oktober 2022 19:05 An: tiff@lists.osgeo.org<mailto:tiff@lists.osgeo.org> Betreff: [Tiff] clarification on the fix status for new CVE-2022-3570? Hi libtiff developers, I'm confused about the new CVE reported in libtiff >= 4.4.0 related to the previous CVEs in tiffcrop.c. There's a lot of comments in the GitLab issues and I'm trying to detangle whether this is fixed in 4.4.0, or in the master branch waiting to be released into a new libtiff version, or still open and not yet merged into any branch. NVD link: https://nvd.nist.gov/vuln/detail/CVE-2022-3570<https://nvd.nist.gov/vuln/detail/CVE-2022-3570> Related libtiff GitLab issue: https://gitlab.com/gitlab-org/cves/-/issues/479<https://gitlab.com/gitlab-org/cves/-/issues/479> From the GitLab posts and merge requests, it looks like it's related to the previous CVEs fixed in https://gitlab.com/libtiff/libtiff/-/merge_requests/382<https://gitlab.com/libtiff/libtiff/-/merge_requests/382>. In these two GitLab issues, the CVE reporter is saying they are still open issues in 4.4.0: https://gitlab.com/libtiff/libtiff/-/issues/381<https://gitlab.com/libtiff/libtiff/-/issues/381> https://gitlab.com/libtiff/libtiff/-/issues/386<https://gitlab.com/libtiff/libtiff/-/issues/386> Can you please advise on the fix status for https://nvd.nist.gov/vuln/detail/CVE-2022-3570<https://nvd.nist.gov/vuln/detail/CVE-2022-3570>? Thank you! ellen
_______________________________________________ Tiff mailing list Tiff@lists.osgeo.org https://lists.osgeo.org/mailman/listinfo/tiff