On 09/02/2024 16.26, Jens-Ulrik Petersen wrote:
I should also have added there's an increasing amount of technical debt
with the pandoc packaging - I guess I need to beg people to help with
package reviews: also reminded of our packaging (review) streamlining
discussion from Flock last year.
Jens
Unfortunately, I couldn't attend last Flock, so I don't know the related
discussion. But I will have a look on the current review guidelines in
the next days, in order to check if this is a commitment I can reliably
provide over time. Maybe I can support with this. I'll let you know if so.
On Fri, 9 Feb 2024, 23:23 Jens-Ulrik Petersen, <petersen@xxxxxxxxxx> wrote:
Hello I am here - thanks for contacting me.
I was hoping to cover this as part of my F40 Change, but unfortunately I
haven't gotten to it, so the Change is now at risk of being deferred to F41.
Nevertheless I will see what I can do about this for F40: maybe a backport
can also be done for F39.
Next time you could also comment on the relevant bug:
https://bugzilla.redhat.com/show_bug.cgi?id=1996301 - that would be
appreciated.
Thanks, Jens
PS Special thanks to Neal Gompa for pinging me in Matrix. 🙏
On Fri, 9 Feb 2024, 20:05 Christopher Klooz, <py0xc3@xxxxxxxxxx> wrote:
I cannot reach the maintainer petersen (see mail below): The package
"pandoc" remains at 3.1.3 in Fedora, but pandoc is already at 3.1.11.1.
Among the updates since 3.1.3, there have been two security-critical
(including the medium CVE-2023-35936. Security fixes are in 3.1.4 & 3.1.6).
The actual risk is limited, but these should be updated nevertheless.
Does anyone know how to reach him by other means?
Regards,
Chris
-------- Forwarded Message --------
Subject: Fedora package "pandoc" outdated and contains security
vulnerability
Date: Thu, 1 Feb 2024 15:55:09 +0100
From: py0xc3@xxxxxxxxxx
To: petersen@xxxxxxxxxxxxxxxxx
Hi petersen,
I am reaching out because of the package "pandoc", which you maintain.
I have seen that the package is still at version 3.1.3 [1] when I tried
to install it with dnf, whereas the current version is 3.1.11.1 [2]: is
this intended or an accident?
It has to be noted that the updates that have been added in the meantime
contain fixes for security vulnerabilities (at least CVE-2023-35936; I have
just roughly skimmed the changelogs). So at the moment, it seems the Fedora
build can be exploited by attackers in some circumstances [3] [4] because
it is still at 3.1.3.
Regards & thanks for maintaining,
Chris
[1] https://koji.fedoraproject.org/koji/packageinfo?packageID=11560
[2] https://hackage.haskell.org/package/pandoc &
https://github.com/jgm/pandoc
[3] https://github.com/jgm/pandoc/releases?page=1
[4] https://github.com/jgm/pandoc/releases?page=2
--
_______________________________________________
devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx
Do not reply to spam, report it:
https://pagure.io/fedora-infrastructure/new_issue
--
_______________________________________________
devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx
Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
--
_______________________________________________
devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx
Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
