On Thu, Jan 30, 2020 at 01:49:55PM -0500, Stephen John Smoogen wrote: > Currently opensmtpd has a high level remote CVE and several others from the > release listed. I have tried to compile the updated version but […] According to the oss-security list[1], this vulnerability has been made exploitable in May 2018 - the version in EPEL (and Fedora) is 6.0.3, which was released on Jan 4, 2018[2]. > I would like to remove opensmtpd from EPEL. If someone wants to fix/patch > it that would be great also but it might become a long war of attrition. I'd prefer just retiring the epel branch. I'm not using it myself, but as it seems the CVEs I could find for OpenSMTPd do not affect the EPEL version I wouldn't remove/obsolete already installed packages. In Fedora there seems to be activity in OpenSMTPd (only checked bugzilla[3]), so maybe the Fedora Maintainer is interested in also taking the EPEL branch? (I've cc'ed the Fedora Maintainer, hope that's okay.) All the best, Astra [1] https://www.openwall.com/lists/oss-security/2020/01/28/3 [2] https://github.com/OpenSMTPD/OpenSMTPD/releases?after=opensmtpd-6.4.1p1 [3] https://bugzilla.redhat.com/show_bug.cgi?id=1742449
Attachment:
signature.asc
Description: PGP signature
_______________________________________________ epel-devel mailing list -- epel-devel@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to epel-devel-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/epel-devel@xxxxxxxxxxxxxxxxxxxxxxx
