Re: [PATCH] [zeus] aspell: CVE-2019-20433

Openembedded Core Discussions
 help / color / mirror / Atom feed

From: Adrian Bunk <bunk@stusta.de>
To: Mikko.Rapeli@bmw.de
Cc: openembedded-core@lists.openembedded.org
Subject: Re: [PATCH] [zeus] aspell: CVE-2019-20433
Date: Thu, 12 Mar 2020 14:49:08 +0200	[thread overview]
Message-ID: <20200312124908.GA21921@localhost> (raw)
In-Reply-To: <20200312123418.GR104502@korppu>

On Thu, Mar 12, 2020 at 12:34:19PM +0000, Mikko.Rapeli@bmw.de wrote:
> On Thu, Mar 12, 2020 at 12:25:21PM +0000, Mittal, Anuj wrote:
> > It looks like this is changing the API. I wonder if this would need any
> > other change or break something elsewhere in OE-core, meta-oe?
> > 
> > http://aspell.net/buffer-overread-ucs.txt
> 
> Debian classified issues as minor and fixed only by updating
> to 0.60.8:
> 
> https://security-tracker.debian.org/tracker/CVE-2019-20433
> 
> https://metadata.ftp-master.debian.org/changelogs//main/a/aspell/aspell_0.60.8-1_changelog
> 
> Maybe whitelist for stable branches and update to new version on master?

master already has the new version.

IMHO whitelisting is wrong unless there would be a clear and documented 
policy what kind of vulnerabilities are getting whitelisted.

But even then "Base Score: 9.1 CRITICAL"[1] would make whitelisting 
unlikely in this case.

> Cheers,
> 
> -Mikko

cu
Adrian

[1] https://nvd.nist.gov/vuln/detail/CVE-2019-20433

next prev parent reply	other threads:[~2020-03-12 12:49 UTC|newest]

Thread overview: 7+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2020-03-12  9:23 [PATCH] [zeus] aspell: CVE-2019-20433 Stefan Ghinea
2020-03-12 12:25 ` Mittal, Anuj
2020-03-12 12:34   ` Mikko.Rapeli
2020-03-12 12:49     ` Adrian Bunk [this message]
2020-03-12 13:25       ` Mikko.Rapeli
2020-03-12 13:04     ` Mittal, Anuj
2020-03-12 14:35   ` Stefan Robert Ghinea

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20200312124908.GA21921@localhost \
    --to=bunk@stusta.de \
    --cc=Mikko.Rapeli@bmw.de \
    --cc=openembedded-core@lists.openembedded.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox