FIX CVE in external libraries #961
Conversation
fix CVE vulnerability in zlib https://nvd.nist.gov/vuln/detail/CVE-2022-37434 Fix and improvements in zlib and freetype
fix CVE vulnerability in zlib https://nvd.nist.gov/vuln/detail/CVE-2022-37434 Fix and improvements in zlib and freetype
|
CI:
|
There was a problem hiding this comment.
CI is green! @clalancette any concerns with merging this in?
There was a problem hiding this comment.
@clalancette and @Yadunund can we merge this ? we should probably run the CI again.
As elsewhere, I'd really rather have these vendored versions of the packages match what is in Ubuntu 22.04. For freetype, that looks to be version 2.11.1, and for zlib that looks to be 1.2.11 (what is already vendored here). Are there particular CVEs that we are looking to fix with the upgrade of zlib to something newer? |
|
Thank you. Sorry, I see that this was in the initial description as well, I missed that yesterday. In that case, I think what we are doing here for zlib is fine. For freetype, I'd rather that we stick to the version vendored in Jammy, so please change that one back to 2.11.1. At that point I think we can go ahead with this PR. |
set freetype versione to 2.11.1 (used in Jammy)
|
@clalancette i changed the version of freetype to v.2.11.1 |
|
CI:
|
fix CVE vulnerability in zlib https://nvd.nist.gov/vuln/detail/CVE-2022-37434
fix CVE vulnerability in freetype https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-15999
Fix and improvements in zlib and freetype