On Tue, Feb 07, 2023 at 02:48:25PM +0100, Jan Stary wrote: > On Feb 06 22:56:02, t...@theobuehler.org wrote: > > There is an ongoing discussion on audio/sox on oss-security: > > > > https://marc.info/?l=oss-security&m=167546008232629&w=2 > > > > Steffen Nurpmeso ported the patches to apply against the commit > > we also use in our ports, that's what's included in the diff below. > > > > The patches look sensible to me although I haven't reviewed them > > thoroughly. > > > > It's probably a good idea to keep an eye on this discussion both for > > reviews of the patches and for possible developments of a new upstream > > repo containing them. > > I just asked upstream - let's wait a on whether the upstream maintainer > decides to include these in the upstream git (SF) that we build from; > I would prefer that to maintaining the patches (thank you Steffen!)
For reference: https://marc.info/?l=sox-devel&m=167577672104072&w=2 The patches were sent to oss-security *because* upstream failed to react: I am working on fixing known vulnerabilities in sox and since upstream seems mostly dead (no commits in more than a year, no replies to bug reports) Given this, waiting until upstream decides to unhibernate makes little sense to me.
