The current version of oniguruma in EPEL 7 is affected by multiple CVEs.
* rhbz#1466750 - CVE-2017-9224 CVE-2017-9225 CVE-2017-9226
CVE-2017-9227 CVE-2017-9228 CVE-2017-9229
* rhbz#1728967 - CVE-2019-13225
* rhbz#1728972 - CVE-2019-13224
* rhbz#1768999 - CVE-2019-16163
* rhbz#1770213 - CVE-2019-16161
* rhbz#1777538 - CVE-2019-19246
* rhbz#1802053 - CVE-2019-19012
* rhbz#1802063 - CVE-2019-19203
* rhbz#1802072 - CVE-2019-19204
I've discussed doing an incompatible upgrade of the package with the
other maintainers (rhbz#1777660), and so far no one is opposed to it.
As far as I can tell, the only package that would need to be rebuilt
is jq.
```
[root@c7-container:~]# repoquery --provides oniguruma | grep '\.so'
libonig.so.2()(64bit)
[root@c7-container:~]# repoquery --whatrequires 'libonig.so.2()(64bit)'
jq-0:1.6-1.el7.x86_64
oniguruma-devel-0:5.9.5-3.el7.x86_64
[root@c7-container:~]# repoquery --quiet --disablerepo \*
--queryformat '%{name}' --archlist src --enablerepo
epel-source,epel-testing-source --whatrequires oniguruma-devel
jq
```
Let me know your thoughts and concerns about moving forward with this.
--
Carl George
_______________________________________________
epel-devel mailing list -- epel-devel@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to epel-devel-leave@xxxxxxxxxxxxxxxxxxxxxxx
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/epel-devel@xxxxxxxxxxxxxxxxxxxxxxx
