> - Another round of fixes to better handle invalid fonts. Many of > them are vulnerabilities (see CVE-2012-1126 up to CVE-2012-1144 > and SA48320) so all users should upgrade.
When I go look up those CVEs, MITRE[1] tells me they're under review and NVD[2] says the CVE wasn't found. Searching NVD for "freetype" yields CVE-2011-3439 as the latest. The git log only references "Savannah bug" numbers so I didn't have much luck there either.
Is there a CVE<->bug number map? Or a compiled bug-fix list like what Samba provides in their release notes[3]? I'm happy to go build up my own change list, but there is a relatively huge amount of changes between 2.4.7 (what I have in production) and 2.4.9. I need to assess the need to upgrade my production images (i.e., are we affected by the vulnerabilities, can they be mitigated without recompiling, etc.).
1: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-1126 2: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-1126 3: http://www.samba.org/samba/history/samba-3.6.2.html _______________________________________________ Freetype mailing list [email protected] https://lists.nongnu.org/mailman/listinfo/freetype
