<div dir="auto">I think neverpanic tends to be pretty responsive?<div dir="auto"><br></div><div dir="auto">Moreover in the severity was downgraded from Critical to High between the time the vulnerability was circulating through the grapevine until it actually was disclosed. There are also no known exploits in the wild thankfully.</div><div dir="auto"><br></div><div dir="auto">LibreSSL (which is what macOS ships in base) is also not vulnerable, neither is OpenSSL1.</div><div dir="auto"><br></div><div dir="auto">Anyway, I agree it's important to get tested and merged, but I'm not sure if it would be necessary to jump the gun of the maintainers?</div></div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Tue, Nov 1, 2022, 11:04 Kirill A. Korinsky via macports-dev <<a href="mailto:macports-dev@lists.macports.org">macports-dev@lists.macports.org</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div style="word-wrap:break-word;line-break:after-white-space"><div>Folks,</div><div><br></div><div>OpenSSL team released a fix for found CVE: <a href="https://www.openssl.org/blog/blog/2022/11/01/email-address-overflows/" target="_blank" rel="noreferrer">https://www.openssl.org/blog/blog/2022/11/01/email-address-overflows/</a></div><div><br></div><div>May I ask someone to review a PR to fix this CVE?</div><div><br></div><div><a href="https://github.com/macports/macports-ports/pull/16545" target="_blank" rel="noreferrer">https://github.com/macports/macports-ports/pull/16545</a></div><div><br></div><div>I think that this CVE should be a reason to merge such PR ASAP without maintainers confirmation.</div><br><div>
<div style="color:rgb(0,0,0);font-family:Helvetica;font-size:12px;font-style:normal;font-variant-caps:normal;font-weight:normal;letter-spacing:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;text-decoration:none">-- <br>wbr, Kirill</div>
</div>
<br></div></blockquote></div>