On Tue, Nov 29, 2022 at 10:17 PM Neal Gompa <ngompa13@xxxxxxxxx> wrote: > > On Tue, Nov 29, 2022 at 9:25 AM Neal Gompa <ngompa13@xxxxxxxxx> wrote: > > > > Hey all, > > > > capnproto 0.10.2 is being upgraded in Rawhide. As part of this, I'll > > be rebuilding its reverse dependencies: > > > > * fastnetmon > > * librime > > * rr > > * sonic-visualiser > > > > I'm taking care of all of this in a side-tag and will merge them into > > Rawhide once everything is done. > > > > This is now done: https://bodhi.fedoraproject.org/updates/FEDORA-2022-7c8341e00e Done just in time for a CVE to be filed against capnproto < 0.10.3 :D All currently available versions in Fedora and EPEL 7 (?), 8, and 9 are vulnerable to CVE-2022-46149, according to the upstream advisory: https://github.com/capnproto/capnproto/security/advisories/GHSA-qqff-4vw4-f6hx And according to upstream, dependent packages will need to be rebuilt too, because the affected capnproto code is inlined into binaries ... Looking at what we currently have in Fedora, Rawhide and EPEL 9 will need to be updated to v0.10.3, and f37 and f36 will need to be updated to v0.9.2, and EPEL 8 will need to be updated to v0.7.1. Not sure about EPEL 7, the version there is ancient, and the v0.5 branch is not mentioned in the advisory. If you need help with any of the rebuilds, feel free to ping me. I'm currently handling the same CVE for the capnp Rust crate (where thankfully only one application needs to be rebuilt). Fabio _______________________________________________ devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
