Re: [Rd] Patches for CVE-2024-27322
Many thanks both. I'll wait for Luke's confirmation to trigger the update with the backported fix. Iñaki On Tue, 30 Apr 2024 at 12:42, Dirk Eddelbuettel wrote: > > On 30 April 2024 at 11:59, peter dalgaard wrote: > | svn diff -c 86235 ~/r-devel/R > > Which is also available as > > https://github.com/r-devel/r-svn/commit/f7c46500f455eb4edfc3656c3fa20af61b16abb7 > > Dirk > > | (or 86238 for the port to the release branch) should be easily > backported. > | > | (CC Luke in case there is more to it) > | > | - pd > | > | > On 30 Apr 2024, at 11:28 , Iñaki Ucar wrote: > | > > | > Dear R-core, > | > > | > I just received notification of CVE-2024-27322 [1] in RedHat's > Bugzilla. We > | > updated R to v4.4.0 in Fedora rawhide, F40, EPEL9 and EPEL8, so no > problem > | > there. However, F38 and F39 will stay at v4.3.3, and I was wondering if > | > there's a specific patch available, or if you could point me to the > commits > | > that fixed the issue, so that we can cherry-pick them for F38 and F39. > | > Thanks. > | > > | > [1] https://nvd.nist.gov/vuln/detail/CVE-2024-27322 > | > > | > Best, > | > -- > | > Iñaki Úcar > | > > | > [[alternative HTML version deleted]] > | > > | > __ > | > R-devel@r-project.org mailing list > | > https://stat.ethz.ch/mailman/listinfo/r-devel > | > | -- > | Peter Dalgaard, Professor, > | Center for Statistics, Copenhagen Business School > | Solbjerg Plads 3, 2000 Frederiksberg, Denmark > | Phone: (+45)38153501 > | Office: A 4.23 > | Email: pd@cbs.dk Priv: pda...@gmail.com > | > | __ > | R-devel@r-project.org mailing list > | https://stat.ethz.ch/mailman/listinfo/r-devel > > -- > dirk.eddelbuettel.com | @eddelbuettel | e...@debian.org > -- Iñaki Úcar [[alternative HTML version deleted]] __ R-devel@r-project.org mailing list https://stat.ethz.ch/mailman/listinfo/r-devel
Re: [Rd] Patches for CVE-2024-27322
On 30 April 2024 at 11:59, peter dalgaard wrote: | svn diff -c 86235 ~/r-devel/R Which is also available as https://github.com/r-devel/r-svn/commit/f7c46500f455eb4edfc3656c3fa20af61b16abb7 Dirk | (or 86238 for the port to the release branch) should be easily backported. | | (CC Luke in case there is more to it) | | - pd | | > On 30 Apr 2024, at 11:28 , Iñaki Ucar wrote: | > | > Dear R-core, | > | > I just received notification of CVE-2024-27322 [1] in RedHat's Bugzilla. We | > updated R to v4.4.0 in Fedora rawhide, F40, EPEL9 and EPEL8, so no problem | > there. However, F38 and F39 will stay at v4.3.3, and I was wondering if | > there's a specific patch available, or if you could point me to the commits | > that fixed the issue, so that we can cherry-pick them for F38 and F39. | > Thanks. | > | > [1] https://nvd.nist.gov/vuln/detail/CVE-2024-27322 | > | > Best, | > -- | > Iñaki Úcar | > | > [[alternative HTML version deleted]] | > | > __ | > R-devel@r-project.org mailing list | > https://stat.ethz.ch/mailman/listinfo/r-devel | | -- | Peter Dalgaard, Professor, | Center for Statistics, Copenhagen Business School | Solbjerg Plads 3, 2000 Frederiksberg, Denmark | Phone: (+45)38153501 | Office: A 4.23 | Email: pd@cbs.dk Priv: pda...@gmail.com | | __ | R-devel@r-project.org mailing list | https://stat.ethz.ch/mailman/listinfo/r-devel -- dirk.eddelbuettel.com | @eddelbuettel | e...@debian.org __ R-devel@r-project.org mailing list https://stat.ethz.ch/mailman/listinfo/r-devel
Re: [Rd] Patches for CVE-2024-27322
svn diff -c 86235 ~/r-devel/R (or 86238 for the port to the release branch) should be easily backported. (CC Luke in case there is more to it) - pd > On 30 Apr 2024, at 11:28 , Iñaki Ucar wrote: > > Dear R-core, > > I just received notification of CVE-2024-27322 [1] in RedHat's Bugzilla. We > updated R to v4.4.0 in Fedora rawhide, F40, EPEL9 and EPEL8, so no problem > there. However, F38 and F39 will stay at v4.3.3, and I was wondering if > there's a specific patch available, or if you could point me to the commits > that fixed the issue, so that we can cherry-pick them for F38 and F39. > Thanks. > > [1] https://nvd.nist.gov/vuln/detail/CVE-2024-27322 > > Best, > -- > Iñaki Úcar > > [[alternative HTML version deleted]] > > __ > R-devel@r-project.org mailing list > https://stat.ethz.ch/mailman/listinfo/r-devel -- Peter Dalgaard, Professor, Center for Statistics, Copenhagen Business School Solbjerg Plads 3, 2000 Frederiksberg, Denmark Phone: (+45)38153501 Office: A 4.23 Email: pd@cbs.dk Priv: pda...@gmail.com __ R-devel@r-project.org mailing list https://stat.ethz.ch/mailman/listinfo/r-devel
[Rd] Patches for CVE-2024-27322
Dear R-core, I just received notification of CVE-2024-27322 [1] in RedHat's Bugzilla. We updated R to v4.4.0 in Fedora rawhide, F40, EPEL9 and EPEL8, so no problem there. However, F38 and F39 will stay at v4.3.3, and I was wondering if there's a specific patch available, or if you could point me to the commits that fixed the issue, so that we can cherry-pick them for F38 and F39. Thanks. [1] https://nvd.nist.gov/vuln/detail/CVE-2024-27322 Best, -- Iñaki Úcar [[alternative HTML version deleted]] __ R-devel@r-project.org mailing list https://stat.ethz.ch/mailman/listinfo/r-devel