Source: bibledit
Version: 5.0.331-1
Severity: grave
Tags: security


I notice bibledit embeds mbed TLS 2.2.1. The embedded version is
vulnerable to at least these CVEs (based on the version number and
assuming they have not been manually patched):

[disclaimer: the mbedtls package is still vulnerable to the last two,
but I am working on fixing those]

I see you have overridden lintian which warns you about this:
> # For just now the mbed TLS library is included.
> # When using the system-provided libmbedtls, there currently is a 
> segmentation fault.
> # Pending investigation of this fault, temporarily include mbed TLS.
> # Here is the link to the issue: 
> # By the way, isn't it called "mbed" TLS, obviously intended to be "embedded"?
> # So Bibledit is doing that right now, it "embeds" mbed TLS.
> bibledit: embedded-library usr/bin/bibledit: mbedtls

"mbed" is the brand name ARM uses for its IOT operating system (of which
mbedtls is a component) and therefore is derived from "embedded systems".

IMO embedding a security library is unacceptable and the package should
not be in a stable release in its current state.


Attachment: signature.asc
Description: OpenPGP digital signature

Pkg-crosswire-devel mailing list

Reply via email to