[OE-core] [PATCH] [zeus] aspell: CVE-2019-20433

Adrian Bunk bunk at stusta.de
Thu Mar 12 12:49:08 UTC 2020


On Thu, Mar 12, 2020 at 12:34:19PM +0000, Mikko.Rapeli at bmw.de wrote:
> On Thu, Mar 12, 2020 at 12:25:21PM +0000, Mittal, Anuj wrote:
> > It looks like this is changing the API. I wonder if this would need any
> > other change or break something elsewhere in OE-core, meta-oe?
> > 
> > http://aspell.net/buffer-overread-ucs.txt
> 
> Debian classified issues as minor and fixed only by updating
> to 0.60.8:
> 
> https://security-tracker.debian.org/tracker/CVE-2019-20433
> 
> https://metadata.ftp-master.debian.org/changelogs//main/a/aspell/aspell_0.60.8-1_changelog
> 
> Maybe whitelist for stable branches and update to new version on master?

master already has the new version.

IMHO whitelisting is wrong unless there would be a clear and documented 
policy what kind of vulnerabilities are getting whitelisted.

But even then "Base Score: 9.1 CRITICAL"[1] would make whitelisting 
unlikely in this case.

> Cheers,
> 
> -Mikko

cu
Adrian

[1] https://nvd.nist.gov/vuln/detail/CVE-2019-20433


More information about the Openembedded-core mailing list