[SECURITY] libpng vulnerabilities

Yaakov (Cygwin/X) yselkowitz@users.sourceforge.net
Tue Jul 26 20:38:00 GMT 2011


On Tue, 2011-07-26 at 15:48 -0400, Charles Wilson wrote:
> On 7/26/2011 3:43 PM, Yaakov (Cygwin/X) wrote:
> > Remedy:
> > Update libpng10 to 1.0.55 (or just remove it, as nothing in the distro
> > depends on it any more), libpng12 to 1.2.45, and libpng14 to 1.4.8.
> 
> Thanks for the headsup. I don't think I can get to this before tomorrow
> night, tho.
> 
> General question: would it be acceptable to move libpng10 to obsolete
> (removing libpng10-devel), and NOT update it -- rather than removing it
> entirely?

No, because anything which others may have built against it would remain
vulnerable (and the same goes for the old libpng2 BTW).  If libpng10
stays, it needs to be updated, but removing libpng10-devel is a good
idea in any case.


Yaakov




More information about the Cygwin-apps mailing list