t is suspected that this package is vulnerable to a security vulnerability due to expanding of malicious entities via dev-perl/XML-Twig. As such we ask maintainers with packages suspected to be vulnerable to verify if the package is (or have been) affected. Please see the information contained in the tracker bug 600818. # grep -Fr 'Twig->new' /var/tmp/portage/dev-perl/GraphViz-2.200.0/work/GraphViz-2.20 /var/tmp/portage/dev-perl/GraphViz-2.200.0/work/GraphViz-2.20/lib/GraphViz/XML.pm: my $t = XML::Twig->new();
commit d0e08d870bade71e8270b8344afc7c9fdb5969d8 Author: Kent Fredric <kentnl@gentoo.org> Date: Tue Dec 27 07:45:54 2016 +1300 dev-perl/GraphViz: Bump to version 2.230.0 re #600828 - Use DIST_EXAMPLES Upstream: - Fix tests broken by lack of { escaping in regex. - Move to EUMM - Bail out if there is no `dot` - use no_xxe with XML::Twig instantiation https://metacpan.org/pod/release/RSAVAGE/GraphViz-2.23/lib/GraphViz.pm#How-do-you-handle-XXE-within-XML Difference is small enough that we can probably go start stabilizing. Almost no code change other than XXE, mostly packaging.
Please stabilize, target amd64 x86 dev-perl/GraphViz-2.240.0
amd64 stable
x86 stable. Maintainer(s), please cleanup. Security, please vote.
commit 0ba719c6cbcdfa468e553fc423e1088e5d438a1a Author: Kent Fredric <kentnl@gentoo.org> Date: Mon Jan 23 01:23:34 2017 +1300 dev-perl/GraphViz: Clean up old versions re bug #600828 No significant difference between recent versions and this one, other than upstream adding special handling for xxe
Tree is clean.