> Bugfix release on the 4.16 branch, most notably to closes a
vulnerability in xfce4-mime-helper. The related issue will be disclosed
at some later point.
> - Escape characters which do not belong into an URI/URL (Issue #390)
The commit is:
The bug has been referenced in the following commit(s):
Author: Michał Górny <email@example.com>
AuthorDate: 2022-11-08 13:10:51 +0000
Commit: Michał Górny <firstname.lastname@example.org>
CommitDate: 2022-11-08 13:14:56 +0000
xfce-base/xfce4-settings: Security cleanup
Signed-off-by: Michał Górny <email@example.com>
xfce-base/xfce4-settings/Manifest | 2 -
.../xfce4-settings/xfce4-settings-4.16.3.ebuild | 71 ---------------------
.../xfce4-settings/xfce4-settings-4.17.0.ebuild | 74 ----------------------
3 files changed, 147 deletions(-)
Mailed upstream about making the issue public
A CVE has been released, while upstream says they plan to wait a week before disclosure.
Apparently the previous fix has introduced a major regression (it broke handling paths with spaces). I'm going to stabilize a new/better fix but the version ranges for vulnerable versions can remain the same.
GLSA request filed