Hi leot@, (pkgsrc-changes@) On 29/09/2020 10:53, Leonardo Taccari wrote: > [...] > Pierre Pronchery writes: >> [...] >> Log Message: >> py-rpyc: import version 3.3.0 >> [...] >> Index: pkgsrc/net/py-rpyc/TODO >> diff -u /dev/null pkgsrc/net/py-rpyc/TODO:1.1 >> --- /dev/null Tue Sep 29 02:29:08 2020 >> +++ pkgsrc/net/py-rpyc/TODO Tue Sep 29 02:29:07 2020 >> @@ -0,0 +1,2 @@ >> +This package has known vulnerabilities, please investigate and fix if possible: >> + CVE-2019-16328 > > Packages in pkgsrc do not have any TODO usually and we track security > issues via TODO files only in pkgsrc-wip. > Please add a corresponding entry in pkg-vulnerabilities and then remove > this TODO if the vulnerability is still present so users installing > py-rpyc can be aware of it. According to the advisory, CVE-2019-16328 would apply to version 4.1.0 and 4.1.1, and I have only packaged up to version 3.4.4 so far. The package versions are still lagging behind because they are not all available with the source code on PyPi. I may have to switch the package to rely on GitHub instead, where the upstream still publishes source archives. When updating to newer versions, we will have to be careful to skip the vulnerable versions mentioned above though. Cheers, -- khorben
Attachment:
signature.asc
Description: OpenPGP digital signature