Vulnerability roundup 53: openjpeg, qpdf

Hi everyone, a recent vulnix scan of the nixpkgs codebase identified 2 packages with issues:

So please go ahead and fix the stuff. In case you feel bored please pick up some older stuff!

I’m happy to see that several other issues have been caught by package maintainers right away. I’ve been asked in IRC why vulnix scan results come up weeks after the vulnerability has been published. This is because the NVD database entries (CVEs) get amended only slowly with structured information. vulnix is only able to parse the structured information not the free-text fields.

So the best we can probably do is that every package maintainer has an eye on the his//her packages and picks up security related updated as they are released. vulnix and the vulnerability roundups take care of what has left behind.

2 Likes