Red Hat Bugzilla – Bug 170484
graphviz: CAN-2005-2961 (insecure temp file creation)
Last modified: 2007-11-30 17:11:15 EST
Haven't checked whether devel is affected, but earlier distro versions appear
graphviz-2.4 and earlier contained this bug. We were sent a patch for this on
August 8th and the fix is already in graphviz-2.6 on Fedora Extras.
But Fedora Extras for FC3 has unpatched version 2.2, and FC4 unpatched 2.2.1,
so they'll need the fix (or an upgrade to 2.6), no?
I just wanted to wait a few weeks with upgrading graphviz in older FE releases -
currently it's only commited, build for FEDevel. Until now I didn't receive any
bugs for graphviz 2.6 release in -devel, so I'll update it in fe3 and fe4 soon.
I can generate a patch against graphviz-2.2.1 for just this security bug if you
Update for FC-* in progress... Merging with devel...
I'll not update RHL-*, as I'm not supporting such *old* distros. :-P
I would be interessted if there are any stats how many people do still use RHL-*
(especially together with FE)... However..
FYI, I believe it's not possible to get anything older than FC3 built with the
FE build system. If you insist, updates for earlier distro versions can be
submitted to fedora.us.
Yes, Villea, you are correct, plague doesn't accept builds < FC3 and it does
make sense. :-)