Re: Unresponsive maintainer: petersen / Pandoc package not updated since June 2023: Security vulnerability, CVE-2023-35936 (medium)

2024-03-29 Thread Michel Lind
Hi Jens,

Apologies for resurrecting and older thread here

On Thu, Feb 22, 2024 at 02:06:22PM +0800, Jens-Ulrik Petersen wrote:
> (Not sure if it makes sense to post to Discourse: Haskell library reviews
> are still a little bit "esoteric" since ghc uses some non-standard linking
> (ie various warnings appear which tend to discourage/throw less experienced
> reviewers alas: perhaps they should be spelled out further as exception(s)
> in the Haskell Packaging policy, so I don't need to keep explaining them).
> 
Warnings from fedora-review and rpmlint, or in the build output?

If the warnings are from the first two, we should probably try and get
them fixed - I will try and look closely the next time I do a Haskell
review.

Some other ecosystems (e.g. Guile) also trigger a lot of rpmlint
warnings, and I have in mind fixing the rpmlint policies so that at some
point we can actually make use of the result - right now there's too
many false positives.

Best regards,

-- 
 _o) Michel Lind (né Salim)
_( ) identities: https://keyoxide.org/5dce2e7e9c3b1cffd335c1d78b229d2f7ccc04f2


signature.asc
Description: PGP signature
--
___
devel mailing list -- devel@lists.fedoraproject.org
To unsubscribe send an email to devel-le...@lists.fedoraproject.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org
Do not reply to spam, report it: 
https://pagure.io/fedora-infrastructure/new_issue


Re: Unresponsive maintainer: petersen / Pandoc package not updated since June 2023: Security vulnerability, CVE-2023-35936 (medium)

2024-03-01 Thread Leon Fauster via devel

Am 01.03.24 um 07:55 schrieb Jens-Ulrik Petersen:
On Fri, Feb 9, 2024 at 8:05 PM Christopher Klooz > wrote:


__

The package "pandoc" remains at 3.1.3 in Fedora, but pandoc is
already at 3.1.11.1. Among the updates since 3.1.3, there have been
two security-critical (including the medium CVE-2023-35936. Security
fixes are in 3.1.4 & 3.1.6).

The actual risk is limited, but these should be updated nevertheless.

Just noting here for the record too, that those pandoc CVEs are now 
fixed with backports in Rawhide, and I will gradually push them back to 
current releases in the near future.


Is EPEL9 also included? That would be great!

--
Thanks
Leon






--
___
devel mailing list -- devel@lists.fedoraproject.org
To unsubscribe send an email to devel-le...@lists.fedoraproject.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org
Do not reply to spam, report it: 
https://pagure.io/fedora-infrastructure/new_issue


Re: Unresponsive maintainer: petersen / Pandoc package not updated since June 2023: Security vulnerability, CVE-2023-35936 (medium)

2024-02-29 Thread Jens-Ulrik Petersen
On Fri, Feb 9, 2024 at 8:05 PM Christopher Klooz  wrote:

> The package "pandoc" remains at 3.1.3 in Fedora, but pandoc is already at
> 3.1.11.1. Among the updates since 3.1.3, there have been two
> security-critical (including the medium CVE-2023-35936. Security fixes are
> in 3.1.4 & 3.1.6).
>
> The actual risk is limited, but these should be updated nevertheless.
>

Just noting here for the record too, that those pandoc CVEs are now fixed
with backports in Rawhide, and I will gradually push them back to current
releases in the near future.

Thanks, Jens
--
___
devel mailing list -- devel@lists.fedoraproject.org
To unsubscribe send an email to devel-le...@lists.fedoraproject.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org
Do not reply to spam, report it: 
https://pagure.io/fedora-infrastructure/new_issue


Re: Unresponsive maintainer: petersen / Pandoc package not updated since June 2023: Security vulnerability, CVE-2023-35936 (medium)

2024-02-22 Thread Zbigniew Jędrzejewski-Szmek
On Thu, Feb 22, 2024 at 02:06:22PM +0800, Jens-Ulrik Petersen wrote:
> I realised a second open package review is
> https://bugzilla.redhat.com/show_bug.cgi?id=2068718 (isocline)
> - it's a newer dep for pandoc (actually hslua-repl).

Done.

zbyszek
--
___
devel mailing list -- devel@lists.fedoraproject.org
To unsubscribe send an email to devel-le...@lists.fedoraproject.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org
Do not reply to spam, report it: 
https://pagure.io/fedora-infrastructure/new_issue


Re: Unresponsive maintainer: petersen / Pandoc package not updated since June 2023: Security vulnerability, CVE-2023-35936 (medium)

2024-02-21 Thread Jens-Ulrik Petersen
On Sat, Feb 17, 2024 at 11:17 AM Michel Lind 
wrote:

> On Thu, Feb 15, 2024 at 07:53:38PM +, Christopher Klooz wrote:
> > On 14/02/2024 17.35, Michel Lind wrote:
> > > As a pandoc user, I'm happy to help with any reviews. Is there a list
> > > where this tends to get posted, apart from devel?
>

Thanks Michel for taking the base64 review.

I realised a second open package review is
https://bugzilla.redhat.com/show_bug.cgi?id=2068718 (isocline)
- it's a newer dep for pandoc (actually hslua-repl).

Was just wondering if there's another place where Haskell packaging is
> coordinated.


It is a good question...

I was trying to do that previously in the Haskell SIG (mailing list and
channel), but the traction became so low that I largely gave up with
that... other than occasionally begging someone specifically to help with
an urgent review. ;-(
I can certainly send out such mails there and/or here going forward for
more direct awareness.
(Not sure if it makes sense to post to Discourse: Haskell library reviews
are still a little bit "esoteric" since ghc uses some non-standard linking
(ie various warnings appear which tend to discourage/throw less experienced
reviewers alas: perhaps they should be spelled out further as exception(s)
in the Haskell Packaging policy, so I don't need to keep explaining them).

I will be posting more reviews soon: in particular a large bunch of hslua
related packages - though I think it is better to roll them out in reverse
dependency order.

Jens
--
___
devel mailing list -- devel@lists.fedoraproject.org
To unsubscribe send an email to devel-le...@lists.fedoraproject.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org
Do not reply to spam, report it: 
https://pagure.io/fedora-infrastructure/new_issue


Re: Unresponsive maintainer: petersen / Pandoc package not updated since June 2023: Security vulnerability, CVE-2023-35936 (medium)

2024-02-16 Thread Michel Lind
On Thu, Feb 15, 2024 at 07:53:38PM +, Christopher Klooz wrote:
> On 14/02/2024 17.35, Michel Lind wrote:
> > As a pandoc user, I'm happy to help with any reviews. Is there a list
> > where this tends to get posted, apart from devel?
> > 
> > Thanks,
> > 
> > Michel
> 
> Once the package needs a review, the request should be found here:
> http://fedoraproject.org/PackageReviewStatus/
> 
> Details of the roles of "contributor" and "reviewer" in the "package review
> process" can be found here: 
> https://docs.fedoraproject.org/en-US/package-maintainers/Package_Review_Process/
> (based upon its history, I expect this page is kept updated but I don't know
> for sure)
> 
> According to the elaboration, you need to be in the FAS packager group, even
> for reviews.
> 
Thanks. I'm a long term packager so I know about these already ;)

Was just wondering if there's another place where Haskell packaging is
coordinated.

-- 
Michel Lind
identities: https://keyoxide.org/5dce2e7e9c3b1cffd335c1d78b229d2f7ccc04f2


signature.asc
Description: PGP signature
--
___
devel mailing list -- devel@lists.fedoraproject.org
To unsubscribe send an email to devel-le...@lists.fedoraproject.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org
Do not reply to spam, report it: 
https://pagure.io/fedora-infrastructure/new_issue


Re: Unresponsive maintainer: petersen / Pandoc package not updated since June 2023: Security vulnerability, CVE-2023-35936 (medium)

2024-02-15 Thread Jens-Ulrik Petersen
Thanks for the support.

I will start to post more review requests, maybe post them on discourse
too...

Currently there is https://bugzilla.redhat.com/show_bug.cgi?id=2163472
(base64) which I opened 1 year ago.

Jens

On Fri, Feb 16, 2024 at 3:54 AM Christopher Klooz  wrote:

> On 14/02/2024 17.35, Michel Lind wrote:
>
> As a pandoc user, I'm happy to help with any reviews. Is there a list
> where this tends to get posted, apart from devel?
>
> Thanks,
>
> Michel
>
> Once the package needs a review, the request should be found here:
> http://fedoraproject.org/PackageReviewStatus/
>
> Details of the roles of "contributor" and "reviewer" in the "package
> review process" can be found here:
> https://docs.fedoraproject.org/en-US/package-maintainers/Package_Review_Process/
> (based upon its history, I expect this page is kept updated but I don't
> know for sure)
>
> According to the elaboration, you need to be in the FAS packager group,
> even for reviews.
>
> On Fri, Feb 09, 2024 at 11:26:33PM +0800, Jens-Ulrik Petersen wrote:
>
> I should also have added there's an increasing amount of technical debt
> with the pandoc packaging - I guess I need to beg people to help with
> package reviews: also reminded of our packaging (review) streamlining
> discussion from Flock last year.
>
> Jens
>
> On Fri, 9 Feb 2024, 23:23 Jens-Ulrik Petersen,  
>  wrote:
>
>
> Hello I am here - thanks for contacting me.
>
> I was hoping to cover this as part of my F40 Change, but unfortunately I
> haven't gotten to it, so the Change is now at risk of being deferred to F41.
>
> Nevertheless I will see what I can do about this for F40: maybe a backport
> can also be done for F39.
>
> Next time you could also comment on the relevant 
> bug:https://bugzilla.redhat.com/show_bug.cgi?id=1996301 - that would be
> appreciated.
>
> Thanks, Jens
>
> PS Special thanks to Neal Gompa for pinging me in Matrix. 🙏
>
>
> On Fri, 9 Feb 2024, 20:05 Christopher Klooz,  
>  wrote:
>
>
> I cannot reach the maintainer petersen (see mail below): The package
> "pandoc" remains at 3.1.3 in Fedora, but pandoc is already at 3.1.11.1.
> Among the updates since 3.1.3, there have been two security-critical
> (including the medium CVE-2023-35936. Security fixes are in 3.1.4 & 3.1.6).
>
> The actual risk is limited, but these should be updated nevertheless.
>
> Does anyone know how to reach him by other means?
>
> Regards,
> Chris
>
>
>  Forwarded Message 
> Subject: Fedora package "pandoc" outdated and contains security
> vulnerability
> Date: Thu, 1 Feb 2024 15:55:09 +0100
> From: py0...@posteo.net
> To: peter...@fedoraproject.org
>
> Hi petersen,
>
> I am reaching out because of the package "pandoc", which you maintain.
>
> I have seen that the package is still at version 3.1.3 [1] when I tried
> to install it with dnf, whereas the current version is 3.1.11.1 [2]: is
> this intended or an accident?
>
> It has to be noted that the updates that have been added in the meantime
> contain fixes for security vulnerabilities (at least CVE-2023-35936; I have
> just roughly skimmed the changelogs). So at the moment, it seems the Fedora
> build can be exploited by attackers in some circumstances [3] [4] because
> it is still at 3.1.3.
>
> Regards & thanks for maintaining,
>
> Chris
>
> [1] https://koji.fedoraproject.org/koji/packageinfo?packageID=11560
>
> [2] https://hackage.haskell.org/package/pandoc &https://github.com/jgm/pandoc
>
> [3] https://github.com/jgm/pandoc/releases?page=1
>
> [4] https://github.com/jgm/pandoc/releases?page=2
>
> --
> ___
> devel mailing list -- devel@lists.fedoraproject.org
> To unsubscribe send an email to devel-le...@lists.fedoraproject.org
> Fedora Code of 
> Conduct:https://docs.fedoraproject.org/en-US/project/code-of-conduct/
> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
> List 
> Archives:https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org
> Do not reply to spam, report 
> it:https://pagure.io/fedora-infrastructure/new_issue
>
> --
> ___
> devel mailing list -- devel@lists.fedoraproject.org
> To unsubscribe send an email to devel-le...@lists.fedoraproject.org
> Fedora Code of Conduct: 
> https://docs.fedoraproject.org/en-US/project/code-of-conduct/
> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
> List Archives: 
> https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org
> Do not reply to spam, report it: 
> https://pagure.io/fedora-infrastructure/new_issue
>
>
> --
> ___
> devel mailing list -- devel@lists.fedoraproject.org
> To unsubscribe send an email to devel-le...@lists.fedoraproject.org
> Fedora Code of Conduct: 
> https://docs.fedoraproject.org/en-US/project/code-of-conduct/
> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
> List Archives: 
> https://lists.fedora

Re: Unresponsive maintainer: petersen / Pandoc package not updated since June 2023: Security vulnerability, CVE-2023-35936 (medium)

2024-02-15 Thread Christopher Klooz

On 14/02/2024 17.35, Michel Lind wrote:

As a pandoc user, I'm happy to help with any reviews. Is there a list
where this tends to get posted, apart from devel?

Thanks,

Michel


Once the package needs a review, the request should be found here: 
http://fedoraproject.org/PackageReviewStatus/


Details of the roles of "contributor" and "reviewer" in the "package 
review process" can be found here: 
https://docs.fedoraproject.org/en-US/package-maintainers/Package_Review_Process/ 
(based upon its history, I expect this page is kept updated but I don't 
know for sure)


According to the elaboration, you need to be in the FAS packager group, 
even for reviews.



On Fri, Feb 09, 2024 at 11:26:33PM +0800, Jens-Ulrik Petersen wrote:

I should also have added there's an increasing amount of technical debt
with the pandoc packaging - I guess I need to beg people to help with
package reviews: also reminded of our packaging (review) streamlining
discussion from Flock last year.

Jens

On Fri, 9 Feb 2024, 23:23 Jens-Ulrik Petersen,  wrote:


Hello I am here - thanks for contacting me.

I was hoping to cover this as part of my F40 Change, but unfortunately I
haven't gotten to it, so the Change is now at risk of being deferred to F41.

Nevertheless I will see what I can do about this for F40: maybe a backport
can also be done for F39.

Next time you could also comment on the relevant bug:
https://bugzilla.redhat.com/show_bug.cgi?id=1996301  - that would be
appreciated.

Thanks, Jens

PS Special thanks to Neal Gompa for pinging me in Matrix. 🙏


On Fri, 9 Feb 2024, 20:05 Christopher Klooz,  wrote:


I cannot reach the maintainer petersen (see mail below): The package
"pandoc" remains at 3.1.3 in Fedora, but pandoc is already at 3.1.11.1.
Among the updates since 3.1.3, there have been two security-critical
(including the medium CVE-2023-35936. Security fixes are in 3.1.4 & 3.1.6).

The actual risk is limited, but these should be updated nevertheless.

Does anyone know how to reach him by other means?

Regards,
Chris


 Forwarded Message 
Subject: Fedora package "pandoc" outdated and contains security
vulnerability
Date: Thu, 1 Feb 2024 15:55:09 +0100
From:py0...@posteo.net
To:peter...@fedoraproject.org

Hi petersen,

I am reaching out because of the package "pandoc", which you maintain.

I have seen that the package is still at version 3.1.3 [1] when I tried
to install it with dnf, whereas the current version is 3.1.11.1 [2]: is
this intended or an accident?

It has to be noted that the updates that have been added in the meantime
contain fixes for security vulnerabilities (at least CVE-2023-35936; I have
just roughly skimmed the changelogs). So at the moment, it seems the Fedora
build can be exploited by attackers in some circumstances [3] [4] because
it is still at 3.1.3.

Regards & thanks for maintaining,

Chris

[1]https://koji.fedoraproject.org/koji/packageinfo?packageID=11560

[2]https://hackage.haskell.org/package/pandoc  &
https://github.com/jgm/pandoc

[3]https://github.com/jgm/pandoc/releases?page=1

[4]https://github.com/jgm/pandoc/releases?page=2

--
___
devel mailing list --devel@lists.fedoraproject.org
To unsubscribe send an email todevel-le...@lists.fedoraproject.org
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines:https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org
Do not reply to spam, report it:
https://pagure.io/fedora-infrastructure/new_issue


--
___
devel mailing list --devel@lists.fedoraproject.org
To unsubscribe send an email todevel-le...@lists.fedoraproject.org
Fedora Code of 
Conduct:https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines:https://fedoraproject.org/wiki/Mailing_list_guidelines
List 
Archives:https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org
Do not reply to spam, report 
it:https://pagure.io/fedora-infrastructure/new_issue



--
___
devel mailing list --devel@lists.fedoraproject.org
To unsubscribe send an email todevel-le...@lists.fedoraproject.org
Fedora Code of 
Conduct:https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines:https://fedoraproject.org/wiki/Mailing_list_guidelines
List 
Archives:https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org
Do not reply to spam, report 
it:https://pagure.io/fedora-infrastructure/new_issue--
___
devel mailing list -- devel@lists.fedoraproject.org
To unsubscribe send an email to devel-le...@lists.fedoraproject.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedoraproject.org

Re: Unresponsive maintainer: petersen / Pandoc package not updated since June 2023: Security vulnerability, CVE-2023-35936 (medium)

2024-02-14 Thread Michel Lind
As a pandoc user, I'm happy to help with any reviews. Is there a list
where this tends to get posted, apart from devel?

Thanks,

Michel

On Fri, Feb 09, 2024 at 11:26:33PM +0800, Jens-Ulrik Petersen wrote:
> I should also have added there's an increasing amount of technical debt
> with the pandoc packaging - I guess I need to beg people to help with
> package reviews: also reminded of our packaging (review) streamlining
> discussion from Flock last year.
> 
> Jens
> 
> On Fri, 9 Feb 2024, 23:23 Jens-Ulrik Petersen,  wrote:
> 
> > Hello I am here - thanks for contacting me.
> >
> > I was hoping to cover this as part of my F40 Change, but unfortunately I
> > haven't gotten to it, so the Change is now at risk of being deferred to F41.
> >
> > Nevertheless I will see what I can do about this for F40: maybe a backport
> > can also be done for F39.
> >
> > Next time you could also comment on the relevant bug:
> > https://bugzilla.redhat.com/show_bug.cgi?id=1996301 - that would be
> > appreciated.
> >
> > Thanks, Jens
> >
> > PS Special thanks to Neal Gompa for pinging me in Matrix. 🙏
> >
> >
> > On Fri, 9 Feb 2024, 20:05 Christopher Klooz,  wrote:
> >
> >> I cannot reach the maintainer petersen (see mail below): The package
> >> "pandoc" remains at 3.1.3 in Fedora, but pandoc is already at 3.1.11.1.
> >> Among the updates since 3.1.3, there have been two security-critical
> >> (including the medium CVE-2023-35936. Security fixes are in 3.1.4 & 3.1.6).
> >>
> >> The actual risk is limited, but these should be updated nevertheless.
> >>
> >> Does anyone know how to reach him by other means?
> >>
> >> Regards,
> >> Chris
> >>
> >>
> >>  Forwarded Message 
> >> Subject: Fedora package "pandoc" outdated and contains security
> >> vulnerability
> >> Date: Thu, 1 Feb 2024 15:55:09 +0100
> >> From: py0...@posteo.net
> >> To: peter...@fedoraproject.org
> >>
> >> Hi petersen,
> >>
> >> I am reaching out because of the package "pandoc", which you maintain.
> >>
> >> I have seen that the package is still at version 3.1.3 [1] when I tried
> >> to install it with dnf, whereas the current version is 3.1.11.1 [2]: is
> >> this intended or an accident?
> >>
> >> It has to be noted that the updates that have been added in the meantime
> >> contain fixes for security vulnerabilities (at least CVE-2023-35936; I have
> >> just roughly skimmed the changelogs). So at the moment, it seems the Fedora
> >> build can be exploited by attackers in some circumstances [3] [4] because
> >> it is still at 3.1.3.
> >>
> >> Regards & thanks for maintaining,
> >>
> >> Chris
> >>
> >> [1] https://koji.fedoraproject.org/koji/packageinfo?packageID=11560
> >>
> >> [2] https://hackage.haskell.org/package/pandoc &
> >> https://github.com/jgm/pandoc
> >>
> >> [3] https://github.com/jgm/pandoc/releases?page=1
> >>
> >> [4] https://github.com/jgm/pandoc/releases?page=2
> >>
> >> --
> >> ___
> >> devel mailing list -- devel@lists.fedoraproject.org
> >> To unsubscribe send an email to devel-le...@lists.fedoraproject.org
> >> Fedora Code of Conduct:
> >> https://docs.fedoraproject.org/en-US/project/code-of-conduct/
> >> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
> >> List Archives:
> >> https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org
> >> Do not reply to spam, report it:
> >> https://pagure.io/fedora-infrastructure/new_issue
> >>
> >

> --
> ___
> devel mailing list -- devel@lists.fedoraproject.org
> To unsubscribe send an email to devel-le...@lists.fedoraproject.org
> Fedora Code of Conduct: 
> https://docs.fedoraproject.org/en-US/project/code-of-conduct/
> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
> List Archives: 
> https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org
> Do not reply to spam, report it: 
> https://pagure.io/fedora-infrastructure/new_issue


-- 
Michel Lind (né Salim)
identities: https://keyoxide.org/5dce2e7e9c3b1cffd335c1d78b229d2f7ccc04f2


signature.asc
Description: PGP signature
--
___
devel mailing list -- devel@lists.fedoraproject.org
To unsubscribe send an email to devel-le...@lists.fedoraproject.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org
Do not reply to spam, report it: 
https://pagure.io/fedora-infrastructure/new_issue


Re: Unresponsive maintainer: petersen / Pandoc package not updated since June 2023: Security vulnerability, CVE-2023-35936 (medium)

2024-02-14 Thread Richard W.M. Jones
Re: pandoc, we managed to build it on RISC-V thanks to the changes you
merged in ghc:

  $ uname -a
  Linux vf2.home.annexia.org 5.15.0-starfive #1 SMP Sun Jun 11 07:48:39 UTC 
2023 riscv64 GNU/Linux
  $ rpm -q pandoc
  pandoc-3.1.3-27.fc41.riscv64
  $ pandoc --version
  pandoc 3.1.3
  Features: -server +lua
  Scripting engine: Lua 5.4
  User data directory: /home/rjones/.local/share/pandoc
  Copyright (C) 2006-2023 John MacFarlane. Web: https://pandoc.org
  This is free software; see the source for copying conditions. There is no
  warranty, not even for merchantability or fitness for a particular purpose.

Is it possible you could bump and rebuild the ghc package in Rawhide?
That will allow us to rebuild our downstream ghc package
(http://fedora.riscv.rocks/koji/buildinfo?buildID=281302) without the
'.0.riscv64' extension.

Rich.

-- 
Richard Jones, Virtualization Group, Red Hat http://people.redhat.com/~rjones
Read my programming and virtualization blog: http://rwmj.wordpress.com
Fedora Windows cross-compiler. Compile Windows programs, test, and
build Windows installers. Over 100 libraries supported.
http://fedoraproject.org/wiki/MinGW
--
___
devel mailing list -- devel@lists.fedoraproject.org
To unsubscribe send an email to devel-le...@lists.fedoraproject.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org
Do not reply to spam, report it: 
https://pagure.io/fedora-infrastructure/new_issue


Re: Unresponsive maintainer: petersen / Pandoc package not updated since June 2023: Security vulnerability, CVE-2023-35936 (medium)

2024-02-10 Thread Christopher Klooz

On 09/02/2024 16.26, Jens-Ulrik Petersen wrote:

I should also have added there's an increasing amount of technical debt
with the pandoc packaging - I guess I need to beg people to help with
package reviews: also reminded of our packaging (review) streamlining
discussion from Flock last year.

Jens
Unfortunately, I couldn't attend last Flock, so I don't know the related 
discussion. But I will have a look on the current review guidelines in 
the next days, in order to check if this is a commitment I can reliably 
provide over time. Maybe I can support with this. I'll let you know if so.


On Fri, 9 Feb 2024, 23:23 Jens-Ulrik Petersen,  wrote:


Hello I am here - thanks for contacting me.

I was hoping to cover this as part of my F40 Change, but unfortunately I
haven't gotten to it, so the Change is now at risk of being deferred to F41.

Nevertheless I will see what I can do about this for F40: maybe a backport
can also be done for F39.

Next time you could also comment on the relevant bug:
https://bugzilla.redhat.com/show_bug.cgi?id=1996301 - that would be
appreciated.

Thanks, Jens

PS Special thanks to Neal Gompa for pinging me in Matrix. 🙏


On Fri, 9 Feb 2024, 20:05 Christopher Klooz,  wrote:


I cannot reach the maintainer petersen (see mail below): The package
"pandoc" remains at 3.1.3 in Fedora, but pandoc is already at 3.1.11.1.
Among the updates since 3.1.3, there have been two security-critical
(including the medium CVE-2023-35936. Security fixes are in 3.1.4 & 3.1.6).

The actual risk is limited, but these should be updated nevertheless.

Does anyone know how to reach him by other means?

Regards,
Chris


 Forwarded Message 
Subject: Fedora package "pandoc" outdated and contains security
vulnerability
Date: Thu, 1 Feb 2024 15:55:09 +0100
From: py0...@posteo.net
To: peter...@fedoraproject.org

Hi petersen,

I am reaching out because of the package "pandoc", which you maintain.

I have seen that the package is still at version 3.1.3 [1] when I tried
to install it with dnf, whereas the current version is 3.1.11.1 [2]: is
this intended or an accident?

It has to be noted that the updates that have been added in the meantime
contain fixes for security vulnerabilities (at least CVE-2023-35936; I have
just roughly skimmed the changelogs). So at the moment, it seems the Fedora
build can be exploited by attackers in some circumstances [3] [4] because
it is still at 3.1.3.

Regards & thanks for maintaining,

Chris

[1] https://koji.fedoraproject.org/koji/packageinfo?packageID=11560

[2] https://hackage.haskell.org/package/pandoc &
https://github.com/jgm/pandoc

[3] https://github.com/jgm/pandoc/releases?page=1

[4] https://github.com/jgm/pandoc/releases?page=2

--
___
devel mailing list -- devel@lists.fedoraproject.org
To unsubscribe send an email to devel-le...@lists.fedoraproject.org
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org
Do not reply to spam, report it:
https://pagure.io/fedora-infrastructure/new_issue



--
___
devel mailing list -- devel@lists.fedoraproject.org
To unsubscribe send an email to devel-le...@lists.fedoraproject.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org
Do not reply to spam, report it: 
https://pagure.io/fedora-infrastructure/new_issue

--
___
devel mailing list -- devel@lists.fedoraproject.org
To unsubscribe send an email to devel-le...@lists.fedoraproject.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org
Do not reply to spam, report it: 
https://pagure.io/fedora-infrastructure/new_issue


Re: Unresponsive maintainer: petersen / Pandoc package not updated since June 2023: Security vulnerability, CVE-2023-35936 (medium)

2024-02-10 Thread Christopher Klooz

Hi Jens,

Thanks for the information. Unfortunately, I didn't see the bugzilla ticket.

On 09/02/2024 16.23, Jens-Ulrik Petersen wrote:

Hello I am here - thanks for contacting me.

I was hoping to cover this as part of my F40 Change, but unfortunately I
haven't gotten to it, so the Change is now at risk of being deferred to F41.

Nevertheless I will see what I can do about this for F40: maybe a backport
can also be done for F39.

Next time you could also comment on the relevant bug:
https://bugzilla.redhat.com/show_bug.cgi?id=1996301 - that would be
appreciated.

Thanks, Jens

PS Special thanks to Neal Gompa for pinging me in Matrix. 🙏


On Fri, 9 Feb 2024, 20:05 Christopher Klooz,  wrote:


I cannot reach the maintainer petersen (see mail below): The package
"pandoc" remains at 3.1.3 in Fedora, but pandoc is already at 3.1.11.1.
Among the updates since 3.1.3, there have been two security-critical
(including the medium CVE-2023-35936. Security fixes are in 3.1.4 & 3.1.6).

The actual risk is limited, but these should be updated nevertheless.

Does anyone know how to reach him by other means?

Regards,
Chris


 Forwarded Message 
Subject: Fedora package "pandoc" outdated and contains security
vulnerability
Date: Thu, 1 Feb 2024 15:55:09 +0100
From: py0...@posteo.net
To: peter...@fedoraproject.org

Hi petersen,

I am reaching out because of the package "pandoc", which you maintain.

I have seen that the package is still at version 3.1.3 [1] when I tried to
install it with dnf, whereas the current version is 3.1.11.1 [2]: is this
intended or an accident?

It has to be noted that the updates that have been added in the meantime
contain fixes for security vulnerabilities (at least CVE-2023-35936; I have
just roughly skimmed the changelogs). So at the moment, it seems the Fedora
build can be exploited by attackers in some circumstances [3] [4] because
it is still at 3.1.3.

Regards & thanks for maintaining,

Chris

[1] https://koji.fedoraproject.org/koji/packageinfo?packageID=11560

[2] https://hackage.haskell.org/package/pandoc &
https://github.com/jgm/pandoc

[3] https://github.com/jgm/pandoc/releases?page=1

[4] https://github.com/jgm/pandoc/releases?page=2

--
___
devel mailing list -- devel@lists.fedoraproject.org
To unsubscribe send an email to devel-le...@lists.fedoraproject.org
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org
Do not reply to spam, report it:
https://pagure.io/fedora-infrastructure/new_issue


--
___
devel mailing list -- devel@lists.fedoraproject.org
To unsubscribe send an email to devel-le...@lists.fedoraproject.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org
Do not reply to spam, report it: 
https://pagure.io/fedora-infrastructure/new_issue


Re: Unresponsive maintainer: petersen / Pandoc package not updated since June 2023: Security vulnerability, CVE-2023-35936 (medium)

2024-02-09 Thread Jens-Ulrik Petersen
I should also have added there's an increasing amount of technical debt
with the pandoc packaging - I guess I need to beg people to help with
package reviews: also reminded of our packaging (review) streamlining
discussion from Flock last year.

Jens

On Fri, 9 Feb 2024, 23:23 Jens-Ulrik Petersen,  wrote:

> Hello I am here - thanks for contacting me.
>
> I was hoping to cover this as part of my F40 Change, but unfortunately I
> haven't gotten to it, so the Change is now at risk of being deferred to F41.
>
> Nevertheless I will see what I can do about this for F40: maybe a backport
> can also be done for F39.
>
> Next time you could also comment on the relevant bug:
> https://bugzilla.redhat.com/show_bug.cgi?id=1996301 - that would be
> appreciated.
>
> Thanks, Jens
>
> PS Special thanks to Neal Gompa for pinging me in Matrix. 🙏
>
>
> On Fri, 9 Feb 2024, 20:05 Christopher Klooz,  wrote:
>
>> I cannot reach the maintainer petersen (see mail below): The package
>> "pandoc" remains at 3.1.3 in Fedora, but pandoc is already at 3.1.11.1.
>> Among the updates since 3.1.3, there have been two security-critical
>> (including the medium CVE-2023-35936. Security fixes are in 3.1.4 & 3.1.6).
>>
>> The actual risk is limited, but these should be updated nevertheless.
>>
>> Does anyone know how to reach him by other means?
>>
>> Regards,
>> Chris
>>
>>
>>  Forwarded Message 
>> Subject: Fedora package "pandoc" outdated and contains security
>> vulnerability
>> Date: Thu, 1 Feb 2024 15:55:09 +0100
>> From: py0...@posteo.net
>> To: peter...@fedoraproject.org
>>
>> Hi petersen,
>>
>> I am reaching out because of the package "pandoc", which you maintain.
>>
>> I have seen that the package is still at version 3.1.3 [1] when I tried
>> to install it with dnf, whereas the current version is 3.1.11.1 [2]: is
>> this intended or an accident?
>>
>> It has to be noted that the updates that have been added in the meantime
>> contain fixes for security vulnerabilities (at least CVE-2023-35936; I have
>> just roughly skimmed the changelogs). So at the moment, it seems the Fedora
>> build can be exploited by attackers in some circumstances [3] [4] because
>> it is still at 3.1.3.
>>
>> Regards & thanks for maintaining,
>>
>> Chris
>>
>> [1] https://koji.fedoraproject.org/koji/packageinfo?packageID=11560
>>
>> [2] https://hackage.haskell.org/package/pandoc &
>> https://github.com/jgm/pandoc
>>
>> [3] https://github.com/jgm/pandoc/releases?page=1
>>
>> [4] https://github.com/jgm/pandoc/releases?page=2
>>
>> --
>> ___
>> devel mailing list -- devel@lists.fedoraproject.org
>> To unsubscribe send an email to devel-le...@lists.fedoraproject.org
>> Fedora Code of Conduct:
>> https://docs.fedoraproject.org/en-US/project/code-of-conduct/
>> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
>> List Archives:
>> https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org
>> Do not reply to spam, report it:
>> https://pagure.io/fedora-infrastructure/new_issue
>>
>
--
___
devel mailing list -- devel@lists.fedoraproject.org
To unsubscribe send an email to devel-le...@lists.fedoraproject.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org
Do not reply to spam, report it: 
https://pagure.io/fedora-infrastructure/new_issue


Re: Unresponsive maintainer: petersen / Pandoc package not updated since June 2023: Security vulnerability, CVE-2023-35936 (medium)

2024-02-09 Thread Jens-Ulrik Petersen
Hello I am here - thanks for contacting me.

I was hoping to cover this as part of my F40 Change, but unfortunately I
haven't gotten to it, so the Change is now at risk of being deferred to F41.

Nevertheless I will see what I can do about this for F40: maybe a backport
can also be done for F39.

Next time you could also comment on the relevant bug:
https://bugzilla.redhat.com/show_bug.cgi?id=1996301 - that would be
appreciated.

Thanks, Jens

PS Special thanks to Neal Gompa for pinging me in Matrix. 🙏


On Fri, 9 Feb 2024, 20:05 Christopher Klooz,  wrote:

> I cannot reach the maintainer petersen (see mail below): The package
> "pandoc" remains at 3.1.3 in Fedora, but pandoc is already at 3.1.11.1.
> Among the updates since 3.1.3, there have been two security-critical
> (including the medium CVE-2023-35936. Security fixes are in 3.1.4 & 3.1.6).
>
> The actual risk is limited, but these should be updated nevertheless.
>
> Does anyone know how to reach him by other means?
>
> Regards,
> Chris
>
>
>  Forwarded Message 
> Subject: Fedora package "pandoc" outdated and contains security
> vulnerability
> Date: Thu, 1 Feb 2024 15:55:09 +0100
> From: py0...@posteo.net
> To: peter...@fedoraproject.org
>
> Hi petersen,
>
> I am reaching out because of the package "pandoc", which you maintain.
>
> I have seen that the package is still at version 3.1.3 [1] when I tried to
> install it with dnf, whereas the current version is 3.1.11.1 [2]: is this
> intended or an accident?
>
> It has to be noted that the updates that have been added in the meantime
> contain fixes for security vulnerabilities (at least CVE-2023-35936; I have
> just roughly skimmed the changelogs). So at the moment, it seems the Fedora
> build can be exploited by attackers in some circumstances [3] [4] because
> it is still at 3.1.3.
>
> Regards & thanks for maintaining,
>
> Chris
>
> [1] https://koji.fedoraproject.org/koji/packageinfo?packageID=11560
>
> [2] https://hackage.haskell.org/package/pandoc &
> https://github.com/jgm/pandoc
>
> [3] https://github.com/jgm/pandoc/releases?page=1
>
> [4] https://github.com/jgm/pandoc/releases?page=2
>
> --
> ___
> devel mailing list -- devel@lists.fedoraproject.org
> To unsubscribe send an email to devel-le...@lists.fedoraproject.org
> Fedora Code of Conduct:
> https://docs.fedoraproject.org/en-US/project/code-of-conduct/
> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
> List Archives:
> https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org
> Do not reply to spam, report it:
> https://pagure.io/fedora-infrastructure/new_issue
>
--
___
devel mailing list -- devel@lists.fedoraproject.org
To unsubscribe send an email to devel-le...@lists.fedoraproject.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org
Do not reply to spam, report it: 
https://pagure.io/fedora-infrastructure/new_issue