Re: gitea: Remove TODO as the CVEs are fixed in the update

To: Leonardo Taccari <leot%netbsd.org@localhost>
Subject: Re: gitea: Remove TODO as the CVEs are fixed in the update
From: Antonio Huete Jiménez <tuxillo%quantumachine.net@localhost>
Date: Tue, 13 Nov 2018 09:38:16 +0000

Hi,

Yeah, you are right. We should put back CVE-2018-15192 into the TODOfile. It's not fixed.

Sorry, I should've checked better.

Regards,
Antonio Huete

Leonardo Taccari <leot%netbsd.org@localhost> escribió:

Hello Antonio,

Antonio Huete Jimenez writes:

[...]
Log Message:
gitea: Remove TODO as the CVEs are fixed in the update
[...]
--- a/gitea/TODO
+++ /dev/null
@@ -1,2 +0,0 @@
-This package has known vulnerabilities, please investigate and fixif possible:
-  CVE-2018-15192, CVE-2018-18926


Thanks for updating it!

CVE-2018-18926 - despite the description of the CVE - seems fixed in
1.5.3 so it's okay to delete it (upstream issue #5140 and upstream pull
request #5177).
However, CVE-2018-15192 seems still not fixed (upstream issue #4624).
Am I missing something or should the part about CVE-2018-15192 put
back so that users are informed about it?


Thank you!

References:
- gitea: Remove TODO as the CVEs are fixed in the update
  - From: Antonio Huete Jimenez
- Re: gitea: Remove TODO as the CVEs are fixed in the update
  - From: Leonardo Taccari

Prev by Date: siproxd: Add missing patch comment.
Next by Date: R-data.table: Fast aggregation of large data
Previous by Thread: Re: gitea: Remove TODO as the CVEs are fixed in the update
Next by Thread: Revbump all Go packages after go111 update.
Indexes:

Home | Main Index | Thread Index | Old Index