While I generally agree with the "upgrade if you worry about this" advice, I am also aware that the concern did not come from consumer desktops, but from embedded , mobile and shipped / long-term-maintained systems like Solaris, Android, Raspberry pi OS, etc. So I would add to that "upgrade" advice, with this: complain to the vendors (Sun, Google, Samsung, Raspberry Pi foundation etc) about them shipping outdated versions... there is no point complaining to upstream on this. The freetype people, may, under pressure, release a 2.13.2.1 (or some appropriately versioned backport), but it is still up to the shipping vendors to take it. And if you are trying to persuade these vendors to ship babkports etc, you might as well try to ask them to upgrade... On Thursday 13 March 2025 at 11:24:35 GMT, Alexei Podtelezhnikov <apodt...@gmail.com> wrote: On Wed, Mar 12, 2025 at 9:37 PM Alan Coopersmith <alan.coopersm...@oracle.com> wrote: > https://www.facebook.com/security/advisories/cve-2025-27363 > > https://gitlab.freedesktop.org/freetype/freetype/-/commit/ef636696524b081f1b8819eb0c6a0b932d35757d
Dear Alan We have been informed in advance about this. We suspect that Meta used some AI tools to scan the commit history and identify commits with potential changes in memory access patterns. The first claim was that <= 2.13.2 were vulnerable, which we pushed back by a year and a half. In this brave new world, freezing the old software versions is no longer viable for the open systems. We invite everybody to use the most recent version and help us improve FreeType, rather than engaging in the patch race against AI. Alexei