On Thu, Mar 12, 2020 at 12:34:19PM +0000, [email protected] wrote: > On Thu, Mar 12, 2020 at 12:25:21PM +0000, Mittal, Anuj wrote: > > It looks like this is changing the API. I wonder if this would need any > > other change or break something elsewhere in OE-core, meta-oe? > > > > http://aspell.net/buffer-overread-ucs.txt > > Debian classified issues as minor and fixed only by updating > to 0.60.8: > > https://security-tracker.debian.org/tracker/CVE-2019-20433 > > https://metadata.ftp-master.debian.org/changelogs//main/a/aspell/aspell_0.60.8-1_changelog > > Maybe whitelist for stable branches and update to new version on master?
master already has the new version. IMHO whitelisting is wrong unless there would be a clear and documented policy what kind of vulnerabilities are getting whitelisted. But even then "Base Score: 9.1 CRITICAL"[1] would make whitelisting unlikely in this case. > Cheers, > > -Mikko cu Adrian [1] https://nvd.nist.gov/vuln/detail/CVE-2019-20433 -- _______________________________________________ Openembedded-core mailing list [email protected] http://lists.openembedded.org/mailman/listinfo/openembedded-core
