Fwd: [USN-6695-1] TeX Live vulnerabilities
Norbert Preining
norbert at preining.info
Tue Mar 19 09:55:08 CET 2024
Hi Bruno,
I really don't want to dig through more history here, Max has done an
awful lot of work, Ubuntu maintainers have as usually remain inactive
and leave it "to the community", and nobody has contacted the Debian
developers it seems (I am still on that mailing list).
So all in all, in my eyes another typical case of
I am a security researcher and need for my PhD N >= 3 CVEs with
my name on it ...
> -> but the issue was created on February 7 at cve.mitre, and published by Ubuntu on February 29, well after Karl's commit, so I wonder
People look at the code as it is in the Debian / Ubuntu repositories,
and most of the times do NOT check back whether upstream TeX Live has it
fixed already.
> -> the problem is attributed to a "texlive-bin commit c515e" but it's unclear what that means. Is this a commit to a texlive-bin package that would exist in Debian or Ubuntu? If so, I've no idea how to visualize that particular commit.
Probably the Debian git repo or the Ubuntu git repo commit hash that
made it in the last released version of it. If I want I could look it up
(at least for the Debian side), but I don't see a win here.
Best regards
Norbert
--
PREINING Norbert https://www.preining.info
arXiv / Cornell University + IFMGA Guide + TU Wien + TeX Live
GPG: 0x860CDC13 fp: F7D8 A928 26E3 16A1 9FA0 ACF0 6CAC A448 860C DC13
More information about the tex-live
mailing list.