[arch-general] JasPer vulnerabilities
Is the package JasPer in extra repo vulnerable to CVE-2016-1577, CVE-2016-2089 and CVE-2016-2116? I noticed that the version number of JasPer is same in Debian, Ubuntu and Arch, i.e. 1.900.1. Debian and Ubuntu seem to have updated/patched it, is Arch not vulnerable to it? With regards, Harrison Wells
On 07-03-16 10:55, Harrison Wells wrote:
Is the package JasPer in extra repo vulnerable to CVE-2016-1577, CVE-2016-2089 and CVE-2016-2116? I noticed that the version number of JasPer is same in Debian, Ubuntu and Arch, i.e. 1.900.1. Debian and Ubuntu seem to have updated/patched it, is Arch not vulnerable to it?
With regards,
Harrison Wells The most recent added patch appears to be jasper-1.900.1-CVE-2015-5203 . I suggest you report this to arch-security mailinglist, https://lists.archlinux.org/listinfo/arch-security LW
Haven't reported in security list before. Should I just repost my previous message? On 07-Mar-2016 5:28 PM, "LoneVVolf" <lonewolf@xs4all.nl> wrote:
On 07-03-16 10:55, Harrison Wells wrote:
Is the package JasPer in extra repo vulnerable to CVE-2016-1577, CVE-2016-2089 and CVE-2016-2116? I noticed that the version number of JasPer is same in Debian, Ubuntu and Arch, i.e. 1.900.1. Debian and Ubuntu seem to have updated/patched it, is Arch not vulnerable to it?
With regards,
Harrison Wells
The most recent added patch appears to be jasper-1.900.1-CVE-2015-5203 . I suggest you report this to arch-security mailinglist, https://lists.archlinux.org/listinfo/arch-security LW
On 03/07/2016 01:04 PM, Harrison Wells wrote:
Haven't reported in security list before. Should I just repost my previous message?
It's a announcement only mailing list, discussions should go here (arch-general) and most of the time we also notice and read that. However to directly report or ask the security team about a security issue then the easiest and fastest way is to do it via IRC chan #archlinux-security on freenode. We are sitting there all the time and you will most likely get an answer within 1h. Thanks for raising awareness about the jasper vulns, I will look into this after some meetings that I need to participate in. cheers, Levente
On 07-Mar-2016 5:59 PM, "Levente Polyak" <anthraxx@archlinux.org> wrote:
On 03/07/2016 01:04 PM, Harrison Wells wrote:
Haven't reported in security list before. Should I just repost my
previous
message?
It's a announcement only mailing list, discussions should go here (arch-general) and most of the time we also notice and read that. However to directly report or ask the security team about a security issue then the easiest and fastest way is to do it via IRC chan #archlinux-security on freenode. We are sitting there all the time and you will most likely get an answer within 1h.
Thanks for raising awareness about the jasper vulns, I will look into this after some meetings that I need to participate in.
cheers, Levente
I'm glad I could do something for the community. Will post my message on the security IRC channel then.
participants (3)
-
Harrison Wells
-
Levente Polyak
-
LoneVVolf