Source: bibledit Version: 5.0.331-1 Severity: grave Tags: security Hi,
I notice bibledit embeds mbed TLS 2.2.1. The embedded version is vulnerable to at least these CVEs (based on the version number and assuming they have not been manually patched): CVE-2017-2784 CVE-2017-14032 CVE-2018-0487 CVE-2018-0488 [disclaimer: the mbedtls package is still vulnerable to the last two, but I am working on fixing those] I see you have overridden lintian which warns you about this: > # For just now the mbed TLS library is included. > # When using the system-provided libmbedtls, there currently is a > segmentation fault. > # Pending investigation of this fault, temporarily include mbed TLS. > # Here is the link to the issue: > https://github.com/bibledit/bibledit/issues/499 > # By the way, isn't it called "mbed" TLS, obviously intended to be "embedded"? > # So Bibledit is doing that right now, it "embeds" mbed TLS. > bibledit: embedded-library usr/bin/bibledit: mbedtls "mbed" is the brand name ARM uses for its IOT operating system (of which mbedtls is a component) and therefore is derived from "embedded systems". IMO embedding a security library is unacceptable and the package should not be in a stable release in its current state. Thanks, James
signature.asc
Description: OpenPGP digital signature
