OK thanks, as far as I can tell then, it has not been patched.
On 19/03/2025 10:16, Edouard Klein wrote: > On my system > > guix refresh --list-transitive icecat | grep -Eo '[^ ]*freetype[^ ]*' > > yields > > freetype@2.13.0 > > Then guix edit freetype@2.13.0 > > allows me to see exactly where the source is fetched from, and its hash. > > The manual is: > https://guix.gnu.org/manual/devel/en/guix.html#Invoking-guix-refresh > > but if you don't know what terms to look for, the feature is hard to > find. I did not remember "transitive", and found it by looking for > "--list-dependant" which I remembered. > > You may be interested in guix graph, also. > > Cheers, > > Edouard. > > via <help-guix@gnu.org> writes: > >> How do I know which version of libfreetype6 Icecat is using? My debian >> system has been updated with a fix to the vulnerability. But Icecat, >> being installed with guix, carries with it I think its own version of >> this library, as it is not a dynamic executable. >> >> https://security-tracker.debian.org/tracker/CVE-2025-27363
