> On Thu, Mar 05, 2015 at 05:52:12PM +0000, Stuart Henderson wrote: > > On 2015/03/05 12:41, Ted Unangst wrote: > > > Boudewijn Dijkstra wrote: > > > > Op Wed, 04 Mar 2015 23:12:07 +0100 schreef Ted Unangst > > > > <[email protected]>: > > > > > Freetype (http://www.freetype.org/) 2.5.5 was released a little while > > > > > ago, > > > > > fixing some security vulnerabilities. Actually as I understand it, > > > > > 2.5.4 > > > > > fixed the vulns, then 2.5.5 fixed the fix. > > > > > > > > > > OpenBSD 5.7 will ship with 2.5.5; 5.6 shipped with 2.5.3 and is > > > > > therefore > > > > > vulnerable. > > > > > > > > > > [...] > > > > > > > > > > Unfortunately, the FreeType project does not appear to have made > > > > > these patches > > > > > available separately from the releases, which makes it difficult for > > > > > us to > > > > > apply backports to OpenBSD. > > > > > > > > I guess the most important thing is to give users the opportunity to > > > > fix the vulns. Will there be a CVS tag that 5.6 users can use to > > > > update FreeType to 2.5.5? > > > > > > No. That's too large a change. > > > > > > > Specifically there was a major version number bump to the library in > > the 2.5.4 update. That means that other programs built to use freetype > > would also need to be re-built. > > > > Moving to -current is considerably easier. > > So, in fact all 5.6's users sitting with vuln freetype in base now. Excellent!
Thank you for your wise commentary. Are you going to do something -- beyond just being sarcastic? Or is this a demonstrating of your limited nature. The previous mails (enough of the bodies included above) are pretty clear about the scope of the issue and the reasoning. Perhaps there is room here for someone to demonstrate that the wrong decision has been made, by providing diffs, but the onus would be on you. Have you started?
