Re: glib@2.62.6 is vulnerable to CVE-2021-27218 and CVE-2021-27219

guix-devel

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: glib@2.62.6 is vulnerable to CVE-2021-27218 and CVE-2021-27219

From:	Mark H Weaver
Subject:	Re: glib@2.62.6 is vulnerable to CVE-2021-27218 and CVE-2021-27219
Date:	Thu, 11 Mar 2021 03:28:37 -0500

Hi Léo,

Thanks for bringing this to our attention.

Léo Le Bouter <lle-bout@zaclys.net> writes:
> Upstream does not provide fixes for the 2.62.x series so we need to
> backport ourselves.

One does not follow from the other.  Besides upstream, there exist other
competent organizations (such as Debian, Red Hat, and Ubuntu) that
provide security support for their stable OS releases, and publish
backported fixes as part of that work.

> I would rather switch to upstream-supported version (2.66.x or later)
> as backporting patches does not appear sustainable for us, we already
> have enough on our plate.

As I wrote in another thread: I'll backport the fixes for CVE-2021-27218
and CVE-2021-27219 to our version of Glib, based on the backports
already published by Ubuntu for Glib 2.56.4 and 2.64.4.

     Regards,
       Mark

[Prev in Thread]

Current Thread

[Next in Thread]

glib@2.62.6 is vulnerable to CVE-2021-27218 and CVE-2021-27219, Léo Le Bouter, 2021/03/10
- Re: glib@2.62.6 is vulnerable to CVE-2021-27218 and CVE-2021-27219, Mark H Weaver <=
  - Re: glib@2.62.6 is vulnerable to CVE-2021-27218 and CVE-2021-27219, Mark H Weaver, 2021/03/11
    - Re: glib@2.62.6 is vulnerable to CVE-2021-27218 and CVE-2021-27219, Léo Le Bouter, 2021/03/11

Prev by Date: Re: GNOME 3.34 in GNU Guix and security
Next by Date: Re: I've rebased wip-ppc64le onto core-updates
Previous by thread: glib@2.62.6 is vulnerable to CVE-2021-27218 and CVE-2021-27219
Next by thread: Re: glib@2.62.6 is vulnerable to CVE-2021-27218 and CVE-2021-27219
Index(es):
- Date
- Thread