poppler, security updates in general...

Clemens Lang cal at macports.org
Thu Jan 11 00:42:14 UTC 2018


On Wed, Jan 10, 2018 at 04:39:05PM +0100, Rainer Müller wrote:
> > I think you’re referring to Repology:
> > 
> > https://repology.org
> > 
> > No CVE linkages that I can see there.  That would be a valuable
> > resource though.

That's the one, thanks.

> I do not think Repology would offer that because distributions often
> backport fixes to older versions. Therefore you cannot tell from the
> version number alone whether the software is still vulnerable.

Correct, repology doesn't solve this problem alone, but it may solve the
problem of finding the "canonical" name of a package in a CVE database,
which is the first step to tracking which ports have open CVEs.

Whether a CVE was already fixed in MacPorts of course needs to be
tracked separately from that.

> Not sure a full-blown security tracker is feasible compared to
> something like a simple website per port on which users could flag it
> as vulnerable for review by the maintainer.

Or even just a website that lists CVEs that affect the versions
currently in MacPorts. We don't backport security fixes very often, we
mostly just update versions.


More information about the macports-dev mailing list