Re: [OE-core] [PATCH] [zeus] aspell: CVE-2019-20433

Mittal, Anuj Thu, 12 Mar 2020 06:10:15 -0700

> -----Original Message-----
> From: mikko.rap...@bmw.de <mikko.rap...@bmw.de>
> Sent: Thursday, March 12, 2020 08:34 PM
> To: Mittal, Anuj <anuj.mit...@intel.com>
> Cc: openembedded-core@lists.openembedded.org; stefan.ghi...@windriver.com
> Subject: Re: [OE-core] [PATCH] [zeus] aspell: CVE-2019-20433
> 
> On Thu, Mar 12, 2020 at 12:25:21PM +0000, Mittal, Anuj wrote:
> > It looks like this is changing the API. I wonder if this would need
> > any other change or break something elsewhere in OE-core, meta-oe?
> >
> > http://aspell.net/buffer-overread-ucs.txt
> 
> Debian classified issues as minor and fixed only by updating to 0.60.8:

They were applied to 0.60.7:

https://salsa.debian.org/debian/aspell/-/commit/ab3214b1e758646c5a995d277ac80f6d04566149

https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=935128

I think that "minor" categorization is for versions where it wasn't fixed. The 
NVD severity at the top says medium and it has been assigned a score of 9.1.

> 
> https://security-tracker.debian.org/tracker/CVE-2019-20433
> 
> https://metadata.ftp-master.debian.org/changelogs//main/a/aspell/aspell_0.60.8-
> 1_changelog
> 
> Maybe whitelist for stable branches and update to new version on master?
> 

Whitelisting doesn't sound the right thing to do here especially since this is 
a valid problem.

Thanks,

Anuj
-- 
_______________________________________________
Openembedded-core mailing list
Openembedded-core@lists.openembedded.org
http://lists.openembedded.org/mailman/listinfo/openembedded-core
Re: [OE-core] [PATCH] [zeus] aspell: CVE-2019-20433

Reply via email to
