On Fri, May 15, 2020 at 03:59:57PM -0500, Carl George wrote:
> The current version of oniguruma in EPEL 7 is affected by multiple CVEs.
>
> * rhbz#1466750 - CVE-2017-9224 CVE-2017-9225 CVE-2017-9226
> CVE-2017-9227 CVE-2017-9228 CVE-2017-9229
> * rhbz#1728967 - CVE-2019-13225
> * rhbz#1728972 - CVE-2019-13224
> * rhbz#1768999 - CVE-2019-16163
> * rhbz#1770213 - CVE-2019-16161
> * rhbz#1777538 - CVE-2019-19246
> * rhbz#1802053 - CVE-2019-19012
> * rhbz#1802063 - CVE-2019-19203
> * rhbz#1802072 - CVE-2019-19204
>
> I've discussed doing an incompatible upgrade of the package with the
> other maintainers (rhbz#1777660), and so far no one is opposed to it.
> As far as I can tell, the only package that would need to be rebuilt
> is jq.
>
> ```
> [root@c7-container:~]# repoquery --provides oniguruma | grep '\.so'
> libonig.so.2()(64bit)
> [root@c7-container:~]# repoquery --whatrequires 'libonig.so.2()(64bit)'
> jq-0:1.6-1.el7.x86_64
> oniguruma-devel-0:5.9.5-3.el7.x86_64
> [root@c7-container:~]# repoquery --quiet --disablerepo \*
> --queryformat '%{name}' --archlist src --enablerepo
> epel-source,epel-testing-source --whatrequires oniguruma-devel
> jq
> ```
>
> Let me know your thoughts and concerns about moving forward with this.
+1 here and thanks for making epel a safer place.
kevin
Attachment:
signature.asc
Description: PGP signature
_______________________________________________ epel-devel mailing list -- epel-devel@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to epel-devel-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/epel-devel@xxxxxxxxxxxxxxxxxxxxxxx
