On Thu, Mar 05, 2015 at 05:52:12PM +0000, Stuart Henderson wrote: > On 2015/03/05 12:41, Ted Unangst wrote: > > Boudewijn Dijkstra wrote: > > > Op Wed, 04 Mar 2015 23:12:07 +0100 schreef Ted Unangst > > > <t...@tedunangst.com>: > > > > Freetype (http://www.freetype.org/) 2.5.5 was released a little while > > > > ago, > > > > fixing some security vulnerabilities. Actually as I understand it, 2.5.4 > > > > fixed the vulns, then 2.5.5 fixed the fix. > > > > > > > > OpenBSD 5.7 will ship with 2.5.5; 5.6 shipped with 2.5.3 and is > > > > therefore > > > > vulnerable. > > > > > > > > [...] > > > > > > > > Unfortunately, the FreeType project does not appear to have made these > > > > patches > > > > available separately from the releases, which makes it difficult for us > > > > to > > > > apply backports to OpenBSD. > > > > > > I guess the most important thing is to give users the opportunity to fix > > > the vulns. Will there be a CVS tag that 5.6 users can use to update > > > FreeType to 2.5.5? > > > > No. That's too large a change. > > > > Specifically there was a major version number bump to the library in > the 2.5.4 update. That means that other programs built to use freetype > would also need to be re-built. > > Moving to -current is considerably easier.
So, in fact all 5.6's users sitting with vuln freetype in base now. Excellent!