Hans Hagen wrote:

� wrote:

...

Hi, the libpng-version we use has a security problem which is fixed in a

you mean a bug; i always wonder why bugs are called security problem / fix; maybe because it sounds friendlier (since such risks originat efrom the outside world) -)

I think they are treated as a security issue if they allow a DoS attack or executing malicious code etc. It doesn't sound friendlier to me at all. A normal bug should be fixed, yes; but it doesn't make sense to backport all fixes for bugs found so far into a stable release. If it's a security issue, it generally makes sense. In this particular case, I don't know about the impact of the problem, and I personally don't care since we (Debian) compile --with-system-pnglib and therefore get the update automatically. Regards, -- Frank Küster Single Molecule Spectroscopy, Protein Folding @ Inst. f. Biochemie, Univ. Zürich Debian Developer (teTeX)

On 6/29/06, Frank Küster wrote:

...

...

the libpng-version we use has a security problem which is fixed in a

I think they are treated as a security issue if they allow a DoS attack or executing malicious code etc. It doesn't sound friendlier to me at all. A normal bug should be fixed, yes; but it doesn't make sense to backport all fixes for bugs found so far into a stable release. If it's a security issue, it generally makes sense.

In this particular case, I don't know about the impact of the problem, and I personally don't care since we (Debian) compile --with-system-pnglib and therefore get the update automatically.

Most linux distributions will compile using "--with-system-pnglib" anyway. In Fedora Core 4 I see; $ ldd /usr/bin/pdfetex | grep libpng libpng12.so.0 => /usr/lib/libpng12.so.0 People who need to worry about security shouldn't rely on the pdftex developers to provide new binaries. -- George N. White III Head of St. Margarets Bay, Nova Scotia

� wrote:

2006/6/29, George N. White III :

...

Most linux distributions will compile using "--with-system-pnglib" anyway. In Fedora Core 4 I see;

Same on SuSE 10.1

So, no 1.30.7 :-)

hm, i hope that tex live keeps shipping static binaries, i hate such dependencies (i love the idea to copy just a binary when i install a fresh copy of tex on a linux box using an existing box) Hans ----------------------------------------------------------------- Hans Hagen | PRAGMA ADE Ridderstraat 27 | 8061 GH Hasselt | The Netherlands tel: 038 477 53 69 | fax: 038 477 53 74 | www.pragma-ade.com | www.pragma-pod.nl -----------------------------------------------------------------