Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

(Image::Scale): Upgrade libpng and libjpeg-turbo. #70

Merged
merged 1 commit into from
Mar 21, 2019

Conversation

fsbruva
Copy link
Contributor

@fsbruva fsbruva commented Mar 21, 2019

In order to address several vulnerabilities in libpng, upgrade from
1.4.3 to 1.6.36. Also, use built-in pngusr.dfa methods to disable
unneeded features.

Upgrade libjpeg-turbo from 1.1.1 to 1.5.3, and use patch to disable
unneeded features (instead of using custom jmorecfg.h file)
Note: Upgrade beyond 1.5.3 will require CMake as new dependency

Fixes for libpng:
CVE-2011-2501, CVE-2011-2690, CVE-2011-2691, CVE-2011-2692
CVE-2011-3048, CVE-2012-3425, CVE-2013-6954, CVE-2013-7353,
CVE-2013-7354, CVE-2014-9495, CVE-2015-0973, CVE-2015-8126,
CVE-2015-7981, CVE-2015-8472, CVE-2015-8540, CVE-2016-10087

Fixes for libjpeg-turbo:
CVE-2013-6629, CVE-2013-6630, CVE-2014-9092

Closes #68

In order to address several vulnerabilities in libpng, upgrade from
1.4.3 to 1.6.36. Also, use built-in pngusr.dfa methods to disable
unneeded features.

Upgrade libjpeg-turbo from 1.1.1 to 1.5.3, and use patch to disable
unneeded features (instead of using custom jmorecfg.h file)
Note: Upgrade beyond 1.5.3 will require CMake as new dependency

Fixes for libpng:
CVE-2011-2501, CVE-2011-2690, CVE-2011-2691, CVE-2011-2692
CVE-2011-3048, CVE-2012-3425, CVE-2013-6954, CVE-2013-7353,
CVE-2013-7354, CVE-2014-9495, CVE-2015-0973, CVE-2015-8126,
CVE-2015-7981, CVE-2015-8472, CVE-2015-8540, CVE-2016-10087

Fixes for libjpeg-turbo:
CVE-2013-6629, CVE-2013-6630, CVE-2014-9092
@mherger mherger merged commit 8b05092 into LMS-Community:public/7.9 Mar 21, 2019
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

2 participants