On Fri, May 15, 2020 at 03:59:57PM -0500, Carl George wrote:
The current version of oniguruma in EPEL 7 is affected by multiple
CVEs.
* rhbz#1466750 - CVE-2017-9224 CVE-2017-9225 CVE-2017-9226
CVE-2017-9227 CVE-2017-9228 CVE-2017-9229
* rhbz#1728967 - CVE-2019-13225
* rhbz#1728972 - CVE-2019-13224
* rhbz#1768999 - CVE-2019-16163
* rhbz#1770213 - CVE-2019-16161
* rhbz#1777538 - CVE-2019-19246
* rhbz#1802053 - CVE-2019-19012
* rhbz#1802063 - CVE-2019-19203
* rhbz#1802072 - CVE-2019-19204
I've discussed doing an incompatible upgrade of the package with the
other maintainers (rhbz#1777660), and so far no one is opposed to it.
As far as I can tell, the only package that would need to be rebuilt
is jq.
```
[root@c7-container:~]# repoquery --provides oniguruma | grep '\.so'
libonig.so.2()(64bit)
[root@c7-container:~]# repoquery --whatrequires 'libonig.so.2()(64bit)'
jq-0:1.6-1.el7.x86_64
oniguruma-devel-0:5.9.5-3.el7.x86_64
[root@c7-container:~]# repoquery --quiet --disablerepo \*
--queryformat '%{name}' --archlist src --enablerepo
epel-source,epel-testing-source --whatrequires oniguruma-devel
jq
```
Let me know your thoughts and concerns about moving forward with this.
+1 here and thanks for making epel a safer place.
kevin