Security update needed for spice

guix-devel

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Security update needed for spice

From:	Mark H Weaver
Subject:	Security update needed for spice
Date:	Mon, 22 Aug 2016 00:09:18 -0400

Hi David,

There are two high-severity security flaws in spice that are apparently
fixed in spice-0.12.8:  CVE-2016-0749 and CVE-2016-2150

  https://lwn.net/Articles/697698/
  https://bugzilla.redhat.com/show_bug.cgi?id=1343135
  https://bugzilla.redhat.com/show_bug.cgi?id=1343137

While investigating, I noticed that we're using a "development release"
of spice (0.13.x) instead of a "stable release" (0.12.x):

  http://www.spice-space.org/download.html#stable-release

We should probably be using the stable release.  What do you think?

Anyway, would you be willing to handle this security update, by
switching Guix to a version of spice that's not vulnerable?
The summary line could end with "[fixes CVE-2016-{0749,2150}]."

Thanks for your contributions.

        Mark

[Prev in Thread]

Current Thread

[Next in Thread]

Security update needed for spice, Mark H Weaver <=
- Re: Security update needed for spice, David Craven, 2016/08/22
  - Re: Security update needed for spice, Mark H Weaver, 2016/08/22
  - Re: Security update needed for spice, Mark H Weaver, 2016/08/22

Prev by Date: Re: [PATCH] gnu: Add dlib.
Next by Date: Re: [PATCH] gnu: gzochi: Update to 0.10.
Previous by thread: Re: Python 3.5 start of update
Next by thread: Re: Security update needed for spice
Index(es):
- Date
- Thread