Outdated dependencies at ftp.gnome.org (was: Makeing librsvg work (bizp2.dll missing))
- From: Hartmut Goebel <h goebel goebel-consult de>
- To: Tor Lillqvist <tml iki fi>
- Cc: gtk-app-devel-list gnome org
- Subject: Outdated dependencies at ftp.gnome.org (was: Makeing librsvg work (bizp2.dll missing))
- Date: Wed, 29 Jul 2009 22:07:13 +0200
Hartmut Goebel schrieb:
Tor Lillqvist schrieb:
There is also a libbzip2 package on ftp.gnome.org:
Thanks for this pointer! I did not recognise the 'dependencies'
directory. It would have made my life much, much easier :-)
After having a real look at the 'dependencies' directory, I'm horrified!
I checked four packages and they are *all* outdated and contain security
bugs. Only a few examples of vulnerabilities for these versions:
- libxml2 2.6.27: CVE-2008-3529, CVSS Severity: 10.0 (HIGH)
- libbzip2 1.0.2: CVE-2008-1372, CVSS Severity: 4.3 (MEDIUM)
- openssl 0.9.7c: CVE-2006-3738, CVSS Severity: 10.0 (HIGH)
- gnutls 2.4.1: CVE-2008-4989, CVSS Severity: 4.3 (MEDIUM)
- gnutls 2.2.5: CVE-2008-1948, CVSS Severity: 10.0 (HIGH)
Now I' at my wits' end!
There seams to be no reliable source for third party libraries, GTK+
depends on, which is compatible with GTK+. With reliable I mean: have
(at least nearly) up-to-date versions esp. if security fixes are published.
As I wrote earlier: I'm currently writing some tool to collect all the
dependencies for Tryton (www.tryton.org), an Open Source (GPL) ERP
system. But I can not put outdated and insecure software into the
development environment of somebody else! The one bundling the Tryton
windows installer will not be able to maintain it. He has no chance of
getting security holes fixed!
What should I do?
Schönen Gruß - Regards
Dipl.-Informatiker (univ.), CISSP, CSSLP
Spezialist für IT-Sicherheit in komplexen Umgebungen
Goebel Consult mit Mitglied bei <http://www.7-it.de>
] [Thread Prev