[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[bug#74060] [PATCH] gnu: Remove allegro-5.0. [security fixes]
|
From: |
Nicolas Graves |
|
Subject: |
[bug#74060] [PATCH] gnu: Remove allegro-5.0. [security fixes] |
|
Date: |
Tue, 12 Nov 2024 11:58:05 +0100 |
On 2024-11-11 15:17, Nicolas Graves via Guix-patches via wrote:
> On 2024-11-11 21:37, Maxim Cournoyer wrote:
>
>> Hi!
>>
>> Nicolas Graves <ngraves@ngraves.fr> writes:
>>
>>> This package has no dependencies in Guix, is unsupported (see
>>> https://liballeg.org/old.html) and is vulnerable to CVE-2021-36489.
>>>
>>> * gnu/packages/game-development.scm (allegro-5.0): Delete variable.
>>> * gnu/local.mk: Deregister patch.
>>> * gnu/packages/patches/allegro-mesa-18.2.5-and-later.patch: Delete file.
>>
>> We also have an allegro-4.0 variable; is this one not vulnerable?
>> https://nvd.nist.gov/vuln/detail/CVE-2021-36489 suggest it is (up to
>> 5.2.6).
>
> If it is removable easily, we should remove it yes. I might have
> forgotten this one.
>
> They are indeed unsupported versions, I reported that upstream in
> https://github.com/liballeg/allegro5/issues/1587
> which confirmed that these versions won't receive security patches.
Indeed there's still a package depending on allegro-4 (aseprite). I
think that's the reason why I didn't consider updating it back then.
The issue is that the new version of aseprite seems nonfree (restricts
freedom to share the software, and the freedom to collaborate on the
software).
IMO we should remove both. Users can still use time-machine if they
really want to use that version, or submit a new version of aseprite in
nonguix. WDYT?
--
Best regards,
Nicolas Graves