This is the mail archive of the cygwin-apps mailing list for the Cygwin project.

Index Nav:	[Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav:	[Date Prev] [Date Next]	[Thread Prev] [Thread Next]
Other format:	[Raw text]

Re: [SECURITY] libpng vulnerabilities

From: "Yaakov (Cygwin/X)" <yselkowitz at users dot sourceforge dot net>
To: cygwin-apps <cygwin-apps at cygwin dot com>
Date: Tue, 26 Jul 2011 15:38:01 -0500
Subject: Re: [SECURITY] libpng vulnerabilities
References: <1311709387.5672.10.camel@YAAKOV04> <4E2F19FC.1020707@cwilson.fastmail.fm>

On Tue, 2011-07-26 at 15:48 -0400, Charles Wilson wrote:
> On 7/26/2011 3:43 PM, Yaakov (Cygwin/X) wrote:
> > Remedy:
> > Update libpng10 to 1.0.55 (or just remove it, as nothing in the distro
> > depends on it any more), libpng12 to 1.2.45, and libpng14 to 1.4.8.
> 
> Thanks for the headsup. I don't think I can get to this before tomorrow
> night, tho.
> 
> General question: would it be acceptable to move libpng10 to obsolete
> (removing libpng10-devel), and NOT update it -- rather than removing it
> entirely?

No, because anything which others may have built against it would remain
vulnerable (and the same goes for the old libpng2 BTW).  If libpng10
stays, it needs to be updated, but removing libpng10-devel is a good
idea in any case.

Yaakov

Follow-Ups:
- Re: [SECURITY] libpng vulnerabilities
  - From: Charles Wilson

References:
- [SECURITY] libpng vulnerabilities
  - From: Yaakov (Cygwin/X)
- Re: [SECURITY] libpng vulnerabilities
  - From: Charles Wilson

Index Nav:	[Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav:	[Date Prev] [Date Next]	[Thread Prev] [Thread Next]