[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Can we have a new release of GNU patch?
From: |
Eli Schwartz |
Subject: |
Can we have a new release of GNU patch? |
Date: |
Mon, 20 May 2024 16:14:27 -0400 |
User-agent: |
Mozilla Thunderbird |
GNU patch version 2.7.6 was released in 2018, six years ago. Since then,
a bunch of fixes have been made.
Gentoo currently backports 12 commits from patch's master branch,
including a bunch of CVE fixes. Even this isn't enough to fix for
example https://bugs.gentoo.org/898598 which simply requires a new dist
tarball with updated gnulib.
(Unfortunately, updating gnulib is sufficiently complex I'm afraid to
touch it, and it is definitely going to be a problem to do it fully
offline as needed for distro packaging, especially for a oneshot event.)
gnulib was updated in response to the email thread:
"Build failure caused by out of date gnulib"
So it sounds like other people would appreciate a new release as well.
In particular I think it's important that CVE fixes be available in a
new dist tarball, to avoid the issue that not everyone will realize they
need to backport these fixes, and as a result, potentially end up with a
vulnerable `patch` binary.
--
Eli Schwartz
OpenPGP_0x84818A6819AF4A9B.asc
Description: OpenPGP public key
OpenPGP_signature.asc
Description: OpenPGP digital signature
[Prev in Thread] |
Current Thread |
[Next in Thread] |
- Can we have a new release of GNU patch?,
Eli Schwartz <=