Hardy's graphviz may be vulnerable to CVE-2008-4555

Asked by TroyJohnson

I found this vulnerability report:

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-4555

and the version of graphviz in Hardy looks like it could be vulnerable (the Gentoo report seems to assume it is). I looked here for reported bugs against the graphviz package:

https://launchpad.net/ubuntu/+source/graphviz/+bugs

and found none I could associate with the vulnerability. I also looked at the change log:

http://changelogs.ubuntu.com/changelogs/pool/main/g/graphviz/graphviz_2.16-3ubuntu2/changelog

and it doesn't seem to be a previously addressed issue either.

I have a developer that wants to install graphviz on a java app server (for an auto-build environment) we have running Ubuntu 8.04 LTS Server, so I was wondering if the package was going to be upgraded to version 2.20.3 for 8.04, or if patched would be backported to version 2.16, or if something else.

We can compile and install graphviz, but I would like to know if Ubuntu is addressing this issue already (and I just don't know where to look), or if there is something I need to do to start the process (this looked like a good place to start). Thank you for your consideration,

Troy Johnson

Question information

Language:
English Edit question
Status:
Answered
For:
Ubuntu graphviz Edit question
Assignee:
No assignee Edit question
Last query:
Last reply:
Revision history for this message
actionparsnip (andrew-woodhead666) said :
#1

If you can find a PPA you can install a later version.I suggest you log a bug.

Can you help with this problem?

Provide an answer of your own, or ask TroyJohnson for more information if necessary.

To post a message you must log in.