On Thu, Jul 20, 2023 at 03:44:07PM -0000, Christian K via openSUSE Factory wrote:
Thanks for pointing those out.
I am still confused, I reckon the fixed version for Leap 15.4 is package version 9.56 as seen at https://build.opensuse.org/package/binaries/Printing/ghostscript/15.4
yet I am unable to see that version it in the updates repo http://download.opensuse.org/update/leap/15.4/sle/x86_64/
Am I looking in the wrong place?
It's here I think: https://download.opensuse.org/update/leap/15.4/sle/x86_64/ghostscript-9.52-1... and the relevant changelog entry is: * Thu Jun 29 2023 jsmeix@suse.com - CVE-2023-36664.patch fixes CVE-2023-36664 see https://bugs.ghostscript.com/show_bug.cgi?id=706761 "OS command injection in %pipe% access" and https://bugs.ghostscript.com/show_bug.cgi?id=706778 "%pipe% allowed_path bypass" and bsc#1212711 "permission validation mishandling for pipe devices (with the %pipe% prefix or the | pipe character prefix)" -- ============================ Roger Whittaker ============================