On 15/04/19 14:56 +0100, Christine Caulfield wrote: > We are pleased to announce the release of libqb 1.0.4 > > Source code is available at: > https://github.com/ClusterLabs/libqb/releases/download/v1.0.4/libqb-1.0.4.tar.xz > > Please use the signed .tar.gz or .tar.xz files with the version number > in rather than the github-generated "Source Code" ones. > > This is a security update to 1.0.3. Files are now opened with O_EXCL and > are placed in directories created by mkdtemp().
For the record, this was (finally, after some initial hesitation about the process in a situation like this) assigned CVE-2019-12779. The summary at MITRE site makes a strict cut in proposing only v1.0.5 as not vulnerable, which is not quite the interpretation proposed, but hopefully my other response in this thread makes it clear that v1.0.4 is not the right "peace of mind" target for other reasons. -- Jan (Poki)
pgpfW4EvV9mB2.pgp
Description: PGP signature
_______________________________________________ Manage your subscription: https://lists.clusterlabs.org/mailman/listinfo/users ClusterLabs home: https://www.clusterlabs.org/
