I don't mind waiting a bit for the maintainer for this one (especially since it looks like it's already been approved and merged by the maintainer :) ), but the policy that allows waiving maintainer permission was intended to specifically cover security issues (ie. we discussed this when creating the policy and decided that point that says 'A critical port is broken that affects many users' covered security fixes to ports).
> On Nov 1, 2022, at 2:15 PM, grey <artki...@gmail.com> wrote: > > I think neverpanic tends to be pretty responsive? > > Moreover in the severity was downgraded from Critical to High between the > time the vulnerability was circulating through the grapevine until it > actually was disclosed. There are also no known exploits in the wild > thankfully. > > LibreSSL (which is what macOS ships in base) is also not vulnerable, neither > is OpenSSL1. > > Anyway, I agree it's important to get tested and merged, but I'm not sure if > it would be necessary to jump the gun of the maintainers? > > On Tue, Nov 1, 2022, 11:04 Kirill A. Korinsky via macports-dev > <macports-dev@lists.macports.org> wrote: > Folks, > > OpenSSL team released a fix for found CVE: > https://www.openssl.org/blog/blog/2022/11/01/email-address-overflows/ > > May I ask someone to review a PR to fix this CVE? > > https://github.com/macports/macports-ports/pull/16545 > > I think that this CVE should be a reason to merge such PR ASAP without > maintainers confirmation. -- Daniel J. Luke
