On 2009/02/27 19:37, [email protected] wrote: > On 27 February 2009 at 13:32, Stuart Henderson <[email protected]> wrote: > > > On 2009/02/26 21:06, [email protected] wrote: > > > Not sure if it requires a lib bump: > > > > http://www.openbsd.org/porting/libraries.html gives guidance. > > Guidance yes but I was already aware of what is said there. I thought > since tree lock is in effect and it was a security hole that a patch > might be appreciated since it has no MAINTAINER (is it too late for > 4.5?).
Yes, too late for 4.5 (it was already late when the advisory was issued). > From the CHANGES file I didn't see any mention of an API change so I > didn't bump it, but I defer to those in the commit-chair; that's all. I think "Added png_check_cHRM_fixed() in png.c" means a minor bump. In any event, the bump should be done unless you've checked (usually by diffing the source) that it isn't needed. One way to avoid bumping for security fixes when this happens is to isolate just that fix from other changes, and patch for that problem only (cf. many of Nikolay's commits to the -stable branches when he maintained them).
