I'm forwarding this to bug-guix@gnu.org so that it won't be forgotten.
Mark-------------------- Start of forwarded message -------------------- Subject: security patching of 'patch' package From: Léo Le Bouter <lle-b...@zaclys.net> To: guix-de...@gnu.org Date: Wed, 10 Mar 2021 04:14:35 +0100
Hello! I could find that the 'patch' package was vulnerable to numerous CVEs that other distros like Debian have patched. Here's the list reported by 'guix lint -c cve patch': patch@2.7.6: probably vulnerable to CVE-2019-13636, CVE-2019-13638, CVE-2019-20633, CVE-2018-1000156, CVE-2018-20969, CVE-2018-6951, CVE- 2018-6952 Can I use latest commit from master to build 'patch' then graft original package? i.e. https://git.savannah.gnu.org/git/patch.git There's not that many commits since last release, but lots of time: https://git.savannah.gnu.org/cgit/patch.git/log/ Thank you, Léo
signature.asc
Description: This is a digitally signed message part
-------------------- End of forwarded message --------------------
