Re: Fwd: Unresponsive maintainer: petersen / Pandoc package not updated since June 2023: Security vulnerability, CVE-2023-35936 (medium)

Fri, 09 Feb 2024 04:36:34 -0800 

Thanks! :)

On 09/02/2024 13.18, Luna Jernberg wrote:

CCed his work email in case he looks there

---------- Forwarded message ---------
Från: Christopher Klooz <py0...@posteo.net>
Date: fre 9 feb. 2024 kl 13:05
Subject: Unresponsive maintainer: petersen / Pandoc package not updated
since June 2023: Security vulnerability, CVE-2023-35936 (medium)
To: Development discussions related to Fedora <devel@lists.fedoraproject.org

I cannot reach the maintainer petersen (see mail below): The package
"pandoc" remains at 3.1.3 in Fedora, but pandoc is already at 3.1.11.1.
Among the updates since 3.1.3, there have been two security-critical
(including the medium CVE-2023-35936. Security fixes are in 3.1.4 & 3.1.6).

The actual risk is limited, but these should be updated nevertheless.

Does anyone know how to reach him by other means?

Regards,
Chris


-------- Forwarded Message --------
Subject: Fedora package "pandoc" outdated and contains security
vulnerability
Date: Thu, 1 Feb 2024 15:55:09 +0100
From: py0...@posteo.net
To: peter...@fedoraproject.org

Hi petersen,

I am reaching out because of the package "pandoc", which you maintain.

I have seen that the package is still at version 3.1.3 [1] when I tried to
install it with dnf, whereas the current version is 3.1.11.1 [2]: is this
intended or an accident?

It has to be noted that the updates that have been added in the meantime
contain fixes for security vulnerabilities (at least CVE-2023-35936; I have
just roughly skimmed the changelogs). So at the moment, it seems the Fedora
build can be exploited by attackers in some circumstances [3] [4] because
it is still at 3.1.3.

Regards & thanks for maintaining,

Chris

[1] https://koji.fedoraproject.org/koji/packageinfo?packageID=11560

[2] https://hackage.haskell.org/package/pandoc &
https://github.com/jgm/pandoc

[3] https://github.com/jgm/pandoc/releases?page=1

[4] https://github.com/jgm/pandoc/releases?page=2

--
_______________________________________________
devel mailing list -- devel@lists.fedoraproject.org
To unsubscribe send an email to devel-le...@lists.fedoraproject.org
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org
Do not reply to spam, report it:
https://pagure.io/fedora-infrastructure/new_issue


--
_______________________________________________
devel mailing list -- devel@lists.fedoraproject.org
To unsubscribe send an email to devel-le...@lists.fedoraproject.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org
Do not reply to spam, report it: 
https://pagure.io/fedora-infrastructure/new_issue

Reply via email to