[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: [URGENT] Confirmation of Fixes for CVE's in 2.12.1

From: Arenas, Aaron
Subject: RE: [URGENT] Confirmation of Fixes for CVE's in 2.12.1
Date: Thu, 30 Jun 2022 04:48:04 +0000

Hello Werner,

Thank you for the insight about the "..." and tags.

I arrived at the conclusion because I was expecting a mention of CVE-2022-27404 
and the change that fixed it. But it wasn't there. Looking at the docs/CHANGES, 
there was a mention of a CVE-2018-25032, which made me think that mitigate 
CVE's were ones that were mention. So if the CVE wasn't there, it hasn't been 
mitigated yet. Since CVE-2022-27404 wasn't listed, I assumed the worst that the 
fix hadn't been pulled into the release for a reason unknown to me. So I had to 
asked to get clarification. With the insight you provided with the version 
tagging, it provided clarity and disproved my assumption that fix wasn't in 
version 2.12.1 when in reality it was.

Hope that helps and thanks again!


-----Original Message-----
From: Werner LEMBERG <> 
Sent: Wednesday, June 29, 2022 9:22 PM
To: Arenas, Aaron <>
Subject: Re: [URGENT] Confirmation of Fixes for CVE's in 2.12.1

> Can you confirm which or if all the following fixes/patches/commits 
> that resolve issues and CVE's below are incorporate into latest 
> available version, 2.12.1?  [...]

They are, because...

> I see that version 2.12.1 was release 1 month ago [...]  and that 
> these fixes were committed 3 months ago.

... exactly of that.  We don't maintain any other branch except 'master'.

> I would have expected the fixes to be incorporated. But it's unclear 
> based results of code scan and changelog.

How did you come to this 'unclearl' conclusion?  If you follow the links to the 
gitlab instance, just press the '...' button next to 'master', and you can 
immediately see the affected version tags.


reply via email to

[Prev in Thread] Current Thread [Next in Thread]