On Thu, Dec 1, 2022 at 12:50 PM Fabio Valentini <decathorpe@xxxxxxxxx> wrote: > > On Tue, Nov 29, 2022 at 10:17 PM Neal Gompa <ngompa13@xxxxxxxxx> wrote: > > > > On Tue, Nov 29, 2022 at 9:25 AM Neal Gompa <ngompa13@xxxxxxxxx> wrote: > > > > > > Hey all, > > > > > > capnproto 0.10.2 is being upgraded in Rawhide. As part of this, I'll > > > be rebuilding its reverse dependencies: > > > > > > * fastnetmon > > > * librime > > > * rr > > > * sonic-visualiser > > > > > > I'm taking care of all of this in a side-tag and will merge them into > > > Rawhide once everything is done. > > > > > > > This is now done: https://bodhi.fedoraproject.org/updates/FEDORA-2022-7c8341e00e > > Done just in time for a CVE to be filed against capnproto < 0.10.3 :D > > All currently available versions in Fedora and EPEL 7 (?), 8, and 9 > are vulnerable to CVE-2022-46149, according to the upstream advisory: > https://github.com/capnproto/capnproto/security/advisories/GHSA-qqff-4vw4-f6hx > > And according to upstream, dependent packages will need to be rebuilt > too, because the affected capnproto code is inlined into binaries ... > Looking at what we currently have in Fedora, Rawhide and EPEL 9 will > need to be updated to v0.10.3, and f37 and f36 will need to be updated > to v0.9.2, and EPEL 8 will need to be updated to v0.7.1. Not sure > about EPEL 7, the version there is ancient, and the v0.5 branch is not > mentioned in the advisory. Actually, what's sort of crap is that reverse dependencies always have to be rebuilt because upstream uses the full version in the soname. It makes upgrading this library a pain. > > If you need help with any of the rebuilds, feel free to ping me. > I'm currently handling the same CVE for the capnp Rust crate (where > thankfully only one application needs to be rebuilt). > Help would very much be appreciated, I'm currently underwater with other work. -- 真実はいつも一つ!/ Always, there's only one truth! _______________________________________________ devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
