Review a fix for OpenSSL3 CVE
Daniel J. Luke
dluke at geeklair.net
Tue Nov 1 20:45:26 UTC 2022
I don't mind waiting a bit for the maintainer for this one (especially since it looks like it's already been approved and merged by the maintainer :) ), but the policy that allows waiving maintainer permission was intended to specifically cover security issues (ie. we discussed this when creating the policy and decided that point that says 'A critical port is broken that affects many users' covered security fixes to ports).
> On Nov 1, 2022, at 2:15 PM, grey <artkiver at gmail.com> wrote:
>
> I think neverpanic tends to be pretty responsive?
>
> Moreover in the severity was downgraded from Critical to High between the time the vulnerability was circulating through the grapevine until it actually was disclosed. There are also no known exploits in the wild thankfully.
>
> LibreSSL (which is what macOS ships in base) is also not vulnerable, neither is OpenSSL1.
>
> Anyway, I agree it's important to get tested and merged, but I'm not sure if it would be necessary to jump the gun of the maintainers?
>
> On Tue, Nov 1, 2022, 11:04 Kirill A. Korinsky via macports-dev <macports-dev at lists.macports.org> wrote:
> Folks,
>
> OpenSSL team released a fix for found CVE: https://www.openssl.org/blog/blog/2022/11/01/email-address-overflows/
>
> May I ask someone to review a PR to fix this CVE?
>
> https://github.com/macports/macports-ports/pull/16545
>
> I think that this CVE should be a reason to merge such PR ASAP without maintainers confirmation.
--
Daniel J. Luke
More information about the macports-dev
mailing list