|
From: | Reza Housseini |
Subject: | Re: CVE check for Octave dependencies |
Date: | Thu, 19 Dec 2013 15:29:22 +0100 |
On 12/18/2013 11:28 PM, address@hidden wrote:
> Message: 5
> Date: Thu, 19 Dec 2013 07:52:56 +0100
> From: Reza Housseini <address@hidden>
> To: CdeMills <address@hidden>
> Cc: "address@hidden" <address@hidden>
> Subject: Re: CVE check for Octave dependencies
> Message-ID:
> <address@hidden>
> Content-Type: text/plain; charset="iso-8859-1"
>
> On Wed, Dec 18, 2013 at 6:30 PM, CdeMills <address@hidden>wrote:
>
>> > Hello,
>> >
>> > I've added a new column in table found at http://wiki.octave.org/Building
>> >
>> > With respect to the dependencies, there are two issues:
>> > 1) cURL versions 7.18.0 to 7.32.0 are suceptible to a 'man-in-the-middle'
>> > attack ,see
>> > https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-4545&cid=1
>> > 2) graphicsmagick up to 1.3.18 may crash while exporting some kind of
>> > images, see
>> > https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-4589&cid=1
>> >
>> > Is it possible at the configure step to verify that the versions of those
>> > two libs are safe ?
>> >
>> > Regards
>> >
>> > Pascal
>> >
>> >
>> >
>> > --
>> > View this message in context:
>> > http://octave.1599824.n4.nabble.com/CVE-check-for-Octave-dependencies-tp4660188.html
>> > Sent from the Octave - Maintainers mailing list archive at Nabble.com.
>> >
> That's a good idea. Can someone also provide names of the packages toSome of this is subjective. I wouldn't put LLVM on the list of
> install for other systems? For example Cygwin, Fedora, etc.?
> I was also wondering why LLVM isn't on the list from the webpage?
dependencies because the JIT compiler is still a very optional element of
Octave and won't become anywhere near required until release 4.2 or 4.4.
Going the other way, I don't see Java on the list and that's pretty
important if you want to use that interface. And Java probably will have
CVE listings.
--Rik
[Prev in Thread] | Current Thread | [Next in Thread] |