There are various CVEs for embedded libraries

Question

robrwo opened this issue 3 years ago · 5 comments

The version of zlib seems to be affected by CVE-2018-25032

The version of http-parser seems to be affected by CVE-2019-9900

Answer 1 · 2022-06-30T15:11:45.000Z

These are bundled by libgit2. When they are addressed upstream, I can attempt an upgrade.

Answer 2 · 2022-06-30T18:22:59.000Z

I have emailed security@libgit2.com about that issue.

Answer 3 · 2022-07-06T10:37:11.000Z

I've gotten a confirmation from Ed Thomson re libgit2 security issues. He expects to publish fixes next week.

Answer 4 · 2022-07-06T13:47:49.000Z

Great, thanks for the update. I'll push a fix as soon as I can.

Answer 5 · 2022-10-23T16:31:43.000Z

Version 0.89 is now available, which should address these.