On Thu, Apr 04, 2024 at 03:47 AM, John Kehayias wrote: > On Thu, Apr 04, 2024 at 02:50 AM, John Kehayias wrote: > >> Hello, >> >> On Thu, Apr 04, 2024 at 01:07 AM, Vinicius Monego wrote: >> >>> OpenEXR suffers from these vulnerabilities which were fixed in version >>> 3.2.2 [1] and 3.1.4 [2], respectively, while our version is currently >>> 3.1.3. >>> >>> The package contains 448 dependents, and a change in derivation >>> shouldn't be pushed to master, at least according to the patch >>> submission guidelines. >>> >>> [1] https://nvd.nist.gov/vuln/detail/CVE-2023-5841 >>> >>> [2] https://nvd.nist.gov/vuln/detail/CVE-2021-45942 >> >> Thanks for passing this along. >> >> I've applied a patch, attached, locally to the mesa-updates branch which >> updates openexr to the latest version, 3.2.4. It required a few minor >> changes (fix a phase, an input) but it builds. >> >> I may wait to queue up some more fixes for that branch, but don't >> currently have anything pending. Either way, it will be there soon and >> hopefully merged to master (just need to wait for everything to build >> and look good). >> >> Thanks! >> John > > Forgot to note the change in [inputs] in the changelog, fixed locally.
Pushed as 410e699e0933653e69d03a4cdadf11854c6723f4 (and fixed some build issues with 2718616f77aace28b3962fef29b4e38b87a512ce) and merged with 2d5736cc3e869fadd2592cc13a8d332fac63b144. Thanks! John