Yo All! Now that gpsd 3.27 is out, things have been seemingly quiet.
Well, not so. Just after 3.27 shipped someone found two CVE. For bugs
that had been around a while. They are:
DoS from malicious NavCom packet.
Overrun from a malicious NMEA2000 packetc, leading to system compromise.
Details will be released after the usual embargo.
Patches are in git head now. If any of you actually uses NMEA2000 or
NavCom then please test. Others will not be affected.
I'm waiting to see if we can quickly get CVE numbers assigned before
releasing 3.27.1. I'll hold off anything that does not look very
benign, like link fixes, until after 3.27.1 so we do not need an
extended release candidate process.
Do ahead and submit MRs, just know that they will not be applied right
away.
RGDS
GARY
---------------------------------------------------------------------------
Gary E. Miller Rellim 109 NW Wilmington Ave., Suite E, Bend, OR 97703
[email protected] Tel:+1 541 382 8588
Veritas liberabit vos. -- Quid est veritas?
"If you can't measure it, you can't improve it." - Lord Kelvin
pgpiR4lB5SIlC.pgp
Description: OpenPGP digital signature
