I think neverpanic tends to be pretty responsive? Moreover in the severity was downgraded from Critical to High between the time the vulnerability was circulating through the grapevine until it actually was disclosed. There are also no known exploits in the wild thankfully.
LibreSSL (which is what macOS ships in base) is also not vulnerable, neither is OpenSSL1. Anyway, I agree it's important to get tested and merged, but I'm not sure if it would be necessary to jump the gun of the maintainers? On Tue, Nov 1, 2022, 11:04 Kirill A. Korinsky via macports-dev < [email protected]> wrote: > Folks, > > OpenSSL team released a fix for found CVE: > https://www.openssl.org/blog/blog/2022/11/01/email-address-overflows/ > > May I ask someone to review a PR to fix this CVE? > > https://github.com/macports/macports-ports/pull/16545 > > I think that this CVE should be a reason to merge such PR ASAP without > maintainers confirmation. > > -- > wbr, Kirill > >
