stable

rxvt-unicode-9.30-2.el7

FEDORA-EPEL-2022-c57a51c195 created by rharwood a year ago for Fedora EPEL 7
  • Update to 9.30
  • Strip package back to just be the -terminfo file.
  • This is due to CVE-2022-4170: unaffected versions of rxvt-unicode (that is, libptytty) don't build on epel7.

This update has been submitted for testing by rharwood.

a year ago

This update's test gating status has been changed to 'ignored'.

a year ago

This update has been pushed to testing.

a year ago

This update has been submitted for stable by bodhi.

a year ago

This update has been pushed to stable.

a year ago
User Icon carlwgeorge commented & provided feedback 10 months ago

The EPEL updates policy states that updates with major changes to user experience are to be avoided. This update does not appear to follow that policy. Please avoid such disruptive updates for EPEL packages in the future. If it is unavoidable, please follow the incompatible upgrades policy.

User Icon rharwood commented & provided feedback 10 months ago

As kindly as I can: absolutely not.

I fixed a security issue with an assigned CVE. I am not going to seek anyone's approval to fix publicly disclosed security issues. (The only thing you can possibly do is demand I leave it vulnerable, so again: absolutely not.)

As with all packages in Fedora, you are welcome to submit patches that change things to be more to your liking - but I'm obviously not going to accept those that reintroduce security bugs, so have fun fighting el7's C++ compiler...

User Icon carlwgeorge commented & provided feedback 10 months ago

If you read the EPEL incompatible upgrades policy, you'll see that security updates are explicitly mentioned as good justification for performing an incompatible upgrade. But security justification doesn't absolve the maintainer from following the process. There are important notification steps that are involved. Alternatively, it may make more sense to retire a package from EPEL outright, which has its own process with notification steps.

This is the policy that all EPEL packagers are required to follow. If you disagree with the policy, you are welcome to submit changes to the policy to be more to your liking, which will be reviewed by the EPEL Steering Committee.

User Icon carlwgeorge commented & provided feedback 10 months ago

Please see the following pull requests:

Merging these and building them for EPEL 7 will resolve this situation.


Please login to add feedback.

Metadata
Type
security
Karma
0
Signed
Content Type
RPM
Test Gating
Settings
Unstable by Karma
-3
Stable by Karma
3
Stable by Time
7 days
Dates
submitted
a year ago
in testing
a year ago
in stable
a year ago
BZ#2151598 CVE-2022-4170 rxvt-unicode: remote code execution via background OSC [epel-all]
0
0

Automated Test Results