Bug 8877

Summary: [UPDATE REQUEST 2016.1] libtiff 4.0.6 -> 4.0.9 + various CVE fixes
Product: [ROSA-based products] ROSA Fresh Reporter: Giovanni Mariani <mc2374>
Component: Packages from MainAssignee: ROSA Linux Bugs <bugs>
Status: VERIFIED FIXED QA Contact: ROSA Linux Bugs <bugs>
Severity: normal    
Priority: Normal CC: andrey.bondrov, s.savelyeva, v.potapov
Version: FreshFlags: v.potapov: qa_verified+
andrey.bondrov: published+
Target Milestone: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Platform: --- ROSA Vulnerability identifier:
RPM Package: libtiff-4.0.6-3.src.rpm ISO-related:
Bad POT generating: Upstream:
Bug Depends on:    
Bug Blocks: 6576    

Description Giovanni Mariani 2018-03-24 18:46:17 MSK 
Our actual libtiff package is 3 years old and is affected by a boatload of CVEs: see bug #6567 for all the gory list.

Pick up the latest release (4.0.9) and add patches for the CVEs still applying (CVE-2015-7554, CVE-2017-9935, CVE-2017-11613, CVE-2017-17095, CVE-2017-18013 and CVE-2018-5784).

According to ABI tracker there is no need to rebuild depending packages; see:
https://abi-laboratory.pro/tracker/timeline/libtiff/
Comment 1 Giovanni Mariani 2018-03-24 18:47:44 MSK 
Advisory:
Update libtiff ti release 4.0.9 and pick up fixes for various CVEs.

Packages for Rosa 2016.1 / Main:
https://abf.rosalinux.ru/build_lists/2923442
https://abf.rosalinux.ru/build_lists/2923443
Comment 2 s.savelyeva 2018-03-29 13:45:31 MSK 
it works
Comment 3 Vladimir Potapov 2018-03-30 06:57:39 MSK 
The update is sent to expanded testing
**************************************
Comment 4 Vladimir Potapov 2018-04-03 12:40:09 MSK 
libtiff-4.0.9-1
https://abf.rosalinux.ru/build_lists/2923442
https://abf.rosalinux.ru/build_lists/2923443
****************************** Advisory ******************************
Update libtiff to release 4.0.9 and pick up fixes for various CVEs.
***********************************************************************
QA Verified