octave-maintainers
[Top][All Lists]
Advanced

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: CVE check for Octave dependencies


From: Doug Stewart
Subject: Re: CVE check for Octave dependencies
Date: Thu, 19 Dec 2013 10:33:39 -0500




On Thu, Dec 19, 2013 at 9:29 AM, Reza Housseini <address@hidden> wrote:



On Thu, Dec 19, 2013 at 3:19 PM, Rik <address@hidden> wrote:
On 12/18/2013 11:28 PM, address@hidden wrote:
> Message: 5
> Date: Thu, 19 Dec 2013 07:52:56 +0100
> From: Reza Housseini <address@hidden>
> To: CdeMills <address@hidden>
> Cc: "address@hidden" <address@hidden>
> Subject: Re: CVE check for Octave dependencies
> Message-ID:
>       <address@hidden>
> Content-Type: text/plain; charset="iso-8859-1"
>
> On Wed, Dec 18, 2013 at 6:30 PM, CdeMills <address@hidden>wrote:
>
>> > Hello,
>> >
>> > I've added a new column in table found at http://wiki.octave.org/Building
>> >
>> > With respect to the dependencies, there are two issues:
>> > 1) cURL versions 7.18.0 to 7.32.0 are suceptible to a 'man-in-the-middle'
>> > attack ,see
>> > https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-4545&cid=1
>> > 2) graphicsmagick  up to 1.3.18 may crash while exporting some kind of
>> > images, see
>> > https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-4589&cid=1
>> >
>> > Is it possible at the configure step to verify that the versions of those
>> > two libs are safe ?
>> >
>> > Regards
>> >
>> > Pascal
>> >
>> >
>> >
>> > --
>> > View this message in context:
>> > http://octave.1599824.n4.nabble.com/CVE-check-for-Octave-dependencies-tp4660188.html
>> > Sent from the Octave - Maintainers mailing list archive at Nabble.com.
>> >
> That's a good idea. Can someone also provide names of the packages to
> install for other systems? For example Cygwin, Fedora, etc.?
> I was also wondering why LLVM isn't on the list from the webpage?

Some of this is subjective.  I wouldn't put LLVM on the list of
dependencies because the JIT compiler is still a very optional element of
Octave and won't become anywhere near required until release 4.2 or 4.4.
Going the other way, I don't see Java on the list and that's pretty
important if you want to use that interface.  And Java probably will have
CVE listings.

--Rik

But I'd say we list it but with the level optional and the explication that it's only used when the jit compile flag is enabled

I tried this in Ubuntu but it failed
address@hidden:~/octave380rc1/octave-3.8.0-rc1$ sudo port installed and depof:octave-next  +atlas+gcc47-x11+no_x11-aquaterm-metis-wxwidgets+qt and active | sed 's/(active)//g'
[sudo] password for doug: 
sudo: port: command not found
address@hidden:~/octave380rc1/octave-3.8.0-rc1$ 

What would be he command for Ubuntu 12.04

--
DAS


reply via email to

[Prev in Thread] Current Thread [Next in Thread]