Hello Werner & freetype Team, Can you confirm which or if all the following fixes/patches/commits that resolve issues and CVE's below are incorporate into latest available version, 2.12.1? Fix/Patch (i.e. commit) Issue CVE 53dfdcd8<https://gitlab.freedesktop.org/freetype/freetype/-/commit/53dfdcd8198d2b3201a23c4bad9190519ba918db> #1138<https://gitlab.freedesktop.org/freetype/freetype/-/issues/1138> CVE-2022-27404<https://nvd.nist.gov/vuln/detail/CVE-2022-27404> 22a0cccb<https://gitlab.freedesktop.org/freetype/freetype/-/commit/22a0cccb4d9d002f33c1ba7a4b36812c7d4f46b5> #1139<https://gitlab.freedesktop.org/freetype/freetype/-/issues/1139> CVE-2022-27405<https://nvd.nist.gov/vuln/detail/CVE-2022-27405> 0c2bdb01<https://gitlab.freedesktop.org/freetype/freetype/-/commit/0c2bdb01a2e1d24a3e592377a6d0822856e10df2> #1140<https://gitlab.freedesktop.org/freetype/freetype/-/issues/1140> CVE-2022-27406<https://nvd.nist.gov/vuln/detail/CVE-2022-27406>
I see that version 2.12.1 was release 1 month ago here<https://gitlab.freedesktop.org/freetype/freetype/-/commit/e8ebfe988b5f57bfb9a3ecb13c70d9791bce9ecf> and that these fixes were committed 3 months ago. I would have expected the fixes to be incorporated. But it's unclear based results of code scan and changelog. Additional Background I am build an application using Electron. The latest pre-built Electron binary (19.0.6) contains freetype. Upon packaging my app and performing a code scan, this component and version were flagged with CVE's. I need to resolve these to mitigate any security risk associate with freetype. If we could resolve this promptly, it would great appreciate. Time is of the essence on my end. Thank you, Aaron
