Hello folks, ghostscript package has been rebased to version 9.20 across all current Fedora releases. I am very well aware that we shouldn't do rebases for current releases, to avoid stability problems. However, I have decided for this step in order to fix 4 CVEs that arrived yesterday for ghostscript (3 of them with security impact=high).
Backporting the security fixes from upstream across 4 versions of ghostscript could increase the possibility the fixes wouldn't be backported correctly, and it would be most likely much more time consuming. (I'm in time constraints ATM). I have discussed the rebase with upstream - THERE SHOULD BE NO API/ABI CHANGES between versions 9.16 ->> 9.20. Another notes for Fedora maintainers: * ghostscript sub-package structure remained same * 'ijs-config' custom tool from upstream has been removed (by upstream), 'pkg-config' is used by default now instead [1] * more info in release notes [2][3][4] Right now, I think only packages that depend on ghostscript-devel subpackage *might* be affected by this change. List of those packages: > ariamaestosa > ImageMagick > wfdb I think we can all agree that it's better to have some (not-critical) functionality broken for few days than vulnerable Fedora. :) I will be contacting maintainers of those packages and ask them to rebuild their package, to make sure everything will be working as it should. Thank you for your understanding! Best regards, Dee'Kej ---------- [1] http://git.ghostscript.com/?p=ghostpdl.git;h=0c176a91d53c85cda [2] https://bodhi.fedoraproject.org/updates/ghostscript-9.20-2.fc25 [3] https://bodhi.fedoraproject.org/updates/ghostscript-9.20-2.fc24 [4] https://bodhi.fedoraproject.org/updates/ghostscript-9.20-2.fc23 _______________________________________________ devel mailing list -- devel@lists.fedoraproject.org To unsubscribe send an email to devel-le...@lists.fedoraproject.org
