subject:"\[security fix\] ghostscript rebased to 9\-20 for all releases"

Re: [security fix] ghostscript rebased to 9-20 for all releases

2016-10-07 Thread David Kaspar [Dee'Kej]

Thank you, Solomon for that info,

actually gutenprint maintainer is my colleague, but he is sick today. I'm
adding him into CC, so he's aware of it when he returns. ;)

2 Zdenek: Please, look at the whole thread here -
https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org/message/WZYPIRENDRAT3XZLTOVUVNOCJDZQIW3M/
- we have discussed a little on Thursday, so you should know what's going
on. :)

Best regards,

David Kaspar [Dee'Kej]
*Associate Software Engineer*
*Brno, Czech Republic*

RED HAT | TRIED. TESTED. TRUSTED.
Every airline in the Fortune 500 relies on Red Hat.
Find out why at Trusted | Red Hat .

On Fri, Oct 7, 2016 at 5:28 PM, Solomon Peachy  wrote:

> On Fri, Oct 07, 2016 at 03:14:57PM -, David Kaspar wrote:
> > Right now, I think only packages that depend on ghostscript-devel
> subpackage *might* be affected by this change. List of those packages:
> > > ariamaestosa
> > > ImageMagick
> > > wfdb
>
> Add gutenprint to that list.  I don't expect the existing package will
> malfunction in any way with the ghostscript bump, but it's not
> rebuildable without ijs-config.  There's an already-upstreamed patch
> that switches over to using pkg-config:
>
> https://sourceforge.net/p/gimp-print/source/ci/
> 233a909a77dd4c18d359bf32cd8ef99ed1b7b459/
>
> (For the life of me I can't figure out how to get sourceforge to display
>  a raw diff.  I can supply one out of my local repo if need be..)
>
>  - Solomon
> --
> Solomon Peachy pizza at shaftnet dot org
> Delray Beach, FL  ^^ (email/xmpp) ^^
> Quidquid latine dictum sit, altum viditur.
>
> ___
> devel mailing list -- devel@lists.fedoraproject.org
> To unsubscribe send an email to devel-le...@lists.fedoraproject.org
>
>
___
devel mailing list -- devel@lists.fedoraproject.org
To unsubscribe send an email to devel-le...@lists.fedoraproject.org

Re: [security fix] ghostscript rebased to 9-20 for all releases

2016-10-07 Thread Solomon Peachy

On Fri, Oct 07, 2016 at 03:14:57PM -, David Kaspar wrote:
> Right now, I think only packages that depend on ghostscript-devel subpackage 
> *might* be affected by this change. List of those packages:
> > ariamaestosa
> > ImageMagick
> > wfdb

Add gutenprint to that list.  I don't expect the existing package will 
malfunction in any way with the ghostscript bump, but it's not 
rebuildable without ijs-config.  There's an already-upstreamed patch 
that switches over to using pkg-config:

https://sourceforge.net/p/gimp-print/source/ci/233a909a77dd4c18d359bf32cd8ef99ed1b7b459/

(For the life of me I can't figure out how to get sourceforge to display 
 a raw diff.  I can supply one out of my local repo if need be..)

 - Solomon
-- 
Solomon Peachy pizza at shaftnet dot org
Delray Beach, FL  ^^ (email/xmpp) ^^
Quidquid latine dictum sit, altum viditur.

signature.asc
Description: PGP signature
___
devel mailing list -- devel@lists.fedoraproject.org
To unsubscribe send an email to devel-le...@lists.fedoraproject.org

[security fix] ghostscript rebased to 9-20 for all releases

2016-10-07 Thread David Kaspar

Hello folks,

ghostscript package has been rebased to version 9.20 across all current Fedora 
releases. I am very well aware that we shouldn't do rebases for current 
releases, to avoid stability problems. However, I have decided for this step in 
order to fix 4 CVEs that arrived yesterday for ghostscript (3 of them with 
security impact=high).

Backporting the security fixes from upstream across 4 versions of ghostscript 
could increase the possibility the fixes wouldn't be backported correctly, and 
it would be most likely much more time consuming. (I'm in time constraints ATM).

I have discussed the rebase with upstream - THERE SHOULD BE NO API/ABI CHANGES 
between versions 9.16 ->> 9.20. Another notes for Fedora maintainers:
* ghostscript sub-package structure remained same
* 'ijs-config' custom tool from upstream has been removed (by upstream), 
'pkg-config' is used by default now instead [1]
* more info in release notes [2][3][4]

Right now, I think only packages that depend on ghostscript-devel subpackage 
*might* be affected by this change. List of those packages:
> ariamaestosa
> ImageMagick
> wfdb

I think we can all agree that it's better to have some (not-critical) 
functionality broken for few days than vulnerable Fedora. :) I will be 
contacting maintainers of those packages and ask them to rebuild their package, 
to make sure everything will be working as it should.

Thank you for your understanding!

Best regards,

Dee'Kej
--
[1] http://git.ghostscript.com/?p=ghostpdl.git;h=0c176a91d53c85cda
[2] https://bodhi.fedoraproject.org/updates/ghostscript-9.20-2.fc25
[3] https://bodhi.fedoraproject.org/updates/ghostscript-9.20-2.fc24
[4] https://bodhi.fedoraproject.org/updates/ghostscript-9.20-2.fc23
___
devel mailing list -- devel@lists.fedoraproject.org
To unsubscribe send an email to devel-le...@lists.fedoraproject.org

Re: [security fix] ghostscript rebased to 9-20 for all releases

Re: [security fix] ghostscript rebased to 9-20 for all releases

[security fix] ghostscript rebased to 9-20 for all releases

3 matches

Site Navigation

Mail list logo

Footer information