[Buildroot] [PATCH v2] jasper: bump version to 2.0.0 (security)

Peter Korsgaard peter at korsgaard.com
Mon Nov 28 21:45:57 UTC 2016


>>>>> "Thomas" == Thomas Petazzoni <thomas.petazzoni at free-electrons.com> writes:

 > Hello,
 > On Mon, 28 Nov 2016 13:41:34 +0000, Vicente Olivert Riera wrote:
 >> Fixed CVEs:
 >> - CVE-2016-9387
 >> - CVE-2016-9388
 >> - CVE-2016-9389
 >> - CVE-2016-9390
 >> - CVE-2016-9391
 >> - CVE-2016-9392
 >> - CVE-2016-9393
 >> - CVE-2016-9394
 >> - CVE-2016-9395
 >> - CVE-2016-9396
 >> - CVE-2016-9397
 >> - CVE-2016-9398
 >> - CVE-2016-9399
 >> - CVE-2016-9557
 >> - CVE-2016-9560
 >> 
 >> Changes to jasper.mk:
 >> - Switched to CMake package infrastructure.

 > Do we really need to bump to 2.0.0 to get those security fixes?
 > Changing the package to CMake is a big change, which I'm not sure I
 > want to merge that close to the final release.

 > I see we have 1.900.22 currently, while there is also a 1.900.29
 > version released upstream. Does this version also includes the security
 > fixes perhaps?

Indeed. There is also a .30 and .31, and as far as I can see the only
difference between 1.900.31 and 2.0 is cmake and some travis
stuff. Looking at the CVE numbers on the Debian security tracker they
all seem to refer to earlier commits - E.G.:

https://security-tracker.debian.org/tracker/CVE-2016-9560

Vicente, can you send a minimal patch updating to 1.900.31 for 2016.11
and then a followup patch once 2016.11 is out to bump to 2.0?

-- 
Bye, Peter Korsgaard



More information about the buildroot mailing list