Re: Dealing with CVEs that apply to unspecified package versions

l...@gnu.org (Ludovic Courtès) skribis: > What about raising the issue on oss-sec? Ideally the QEMU folks would > take care of labeling QEMU’s CVEs, the libxml2 folks would take care of > theirs, etc. For the record I followed up on this discussion on oss-sec:

Re: Dealing with CVEs that apply to unspecified package versions

Leo Famulari skribis: > On Mon, Mar 06, 2017 at 10:36:48PM +0100, Ludovic Courtès wrote: >> Unfortunately, there’s no way to know whether such CVEs are actually >> fixed at a specific package version or not, and they’re not uncommon. >> Consequently, ‘guix lint -c cve’ would

Dealing with CVEs that apply to unspecified package versions

Hi! A couple of weeks ago you mentioned that CVE-2016-10165 (for lcms) is not reported by ‘guix lint -c cve’. This is due to the fact that the CVE does not specify the lcms version number it applies to, and thus (guix cve) ignores it. The attached patch fixes (guix cve) to honor CVEs with an