On Fri, Aug 12, 2022 at 6:12 PM Ben Beasley <c...@musicinmybrain.net> wrote: >
(snip) > rust-abomonation: sole maintainer (with @rust-sig); CVE bug ignored for > eight months: https://bugzilla.redhat.com/show_bug.cgi?id=2039788 > > rust-brotli-sys: primary maintainer; CVE bug ignored for eight months: > https://bugzilla.redhat.com/show_bug.cgi?id=2034890 > > rust-nix: sole maintainer (with @rust-sig); CVE bug ignored for seven > months: https://bugzilla.redhat.com/show_bug.cgi?id=2039785 > > (I have omitted bug reports for Rust packages that are merely > out-of-date since these are often updated by SIG members rather than > individual maintainers.) I actually had those CVE bugs on my radar, but didn't have the time to do a full investigation. I've closed the first two, since they actually can no longer affect any Fedora packages (no application depends on the problematic crates, or they don't enable the affected features). The third one could only have affected some really old builds on Fedora 35, since rust-nix had been updated for that CVE problem some time before the Fedora 36 mass rebuild. And the f35 packages that I spot checked had all been rebuilt for some reason or updated at some point, so none of them were affected, either. And even if some package that I happened to miss had its last build at the Fedora 35 mass rebuild, it is unlikely that it actually used the affected API. Fabio _______________________________________________ devel mailing list -- devel@lists.fedoraproject.org To unsubscribe send an email to devel-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
