There is also newer p7zip version 17.05 in: https://github.com/p7zip-project/p7zip which I've just noticed being used in Gentoo.
I didn't check if those CVE issues were fixed in this version. On Mon, Dec 23, 2024 at 5:03 PM Peter Marko via lists.openembedded.org <peter.marko=siemens....@lists.openembedded.org> wrote: > > Please note that 7zip provides also a library, so it’s probably not safe to > do this upgrade in LTS. > > It may be however possible to do it as alternative opt-in recipe. > > > > Peter > > > > From: openembedded-devel@lists.openembedded.org > <openembedded-devel@lists.openembedded.org> On Behalf Of hongxu via > lists.openembedded.org > Sent: Sunday, December 22, 2024 9:30 > To: openembedded-devel@lists.openembedded.org > Subject: Re: [oe] [meta-oe][scarthgap][PATCH 1/4] Use 7zip 24.09 to replace > p7zip 16.02 > > > > Hi Armin, > > > > The p7zip is too old and dead since 2016 and has many vulnerable CVEs, such > as: > > CVE-2024-11612 > CVE-2024-11477 > CVE-2023-52169 > CVE-2023-52168 > CVE-2023-40481 > CVE-2023-31102 > CVE-2023-1576 > CVE-2022-47069 > > > > The 7z is a standalone command, and the version of all affected recipes > (android-tools, python3-rarfile, xarchiver) has no change between master and > scarthgap > > so I back ported the new 7zip recipe to scarthgap to instead of p7zip, I > think the regression is little > > > > //Hongxu > > > >
-=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#114548): https://lists.openembedded.org/g/openembedded-devel/message/114548 Mute This Topic: https://lists.openembedded.org/mt/110240687/21656 Group Owner: openembedded-devel+ow...@lists.openembedded.org Unsubscribe: https://lists.openembedded.org/g/openembedded-devel/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-
