198053 2007-11-04 13:33 0000 GLSA 200710-12 applies to stable media-libs/t1lib 2007-11-08 06:43:02 0000 1 1 1 Unclassified Gentoo Security GLSA Errors unspecified All Linux RESOLVED INVALID jaervosz P2 normal --- 1 rich0@gentoo.org security@gentoo.org fonts@gentoo.org rich0@gentoo.org 2007-11-04 13:33:25 0000 GLSA 200710-12 is listed as applying to media-libs/t1lib < 5.0.2-r1. However, version 1.3.1 is still in portage and has numerous dependencies. If it is vulnerable then it needs to be fixed. If it is not vulnerable then the GLSA should be patched so that it doesn't come up as a false alarm. Do we need to add to the glsa?: <unaffected range="lt">5.0</unaffected> Reproducible: Always jaervosz@gentoo.org 2007-11-05 08:03:10 0000 fonts please advise wether 1.3.1 is affected? jaervosz@gentoo.org 2007-11-07 20:13:18 0000 The same code is present in t1lib-1.3.1. Do we have anything depending on the old version? dirtyepic@gentoo.org 2007-11-08 04:34:48 0000 No, it doesn't look like it. I've masked it for removal. dirtyepic@tycho ~ $ qgrep -N t1lib-1 app-misc/gfontview-0.5.0-r6:DEPEND=">=media-libs/t1lib-1.0.1 app-text/xdvik-22.40y-r2:DEPEND=">=media-libs/t1lib-1.3 media-gfx/swftools-0.7.0:DEPEND=">=media-libs/t1lib-1.3.1 media-gfx/swftools-0.8.0:DEPEND=">=media-libs/t1lib-1.3.1 media-gfx/swftools-0.8.1:DEPEND=">=media-libs/t1lib-1.3.1 media-libs/t1lib-1.3.1:# $Header: /var/cvsroot/gentoo-x86/media-libs/t1lib/t1lib-1.3.1.ebuild,v 1.29 2007/01/05 08:35:17 flameeyes Exp $ sci-visualization/grace-5.1.20: >=media-libs/t1lib-1.3.1 sci-visualization/grace-5.1.21: >=media-libs/t1lib-1.3.1 jaervosz@gentoo.org 2007-11-08 06:43:02 0000 Thanks Ryan and Richard. I'll close this one as INVALID since we don't have a policy regarding older vulnerable versions in the tree.