[gdal-dev] libtiff 4.5.1 is released

Andrew C Aitchison andrew at aitchison.me.uk
Wed Jun 14 06:28:01 PDT 2023


On Wed, 14 Jun 2023, Even Rouault wrote:

> Hi,
>
> I've promoted rc3 as the final 4.5.1 release.
>
> Read about this release at:
> https://libtiff.gitlab.io/libtiff/releases/v4.5.1.html
>
> Note the following warning:
> This version will be the last one supporting most TIFF tools (except tiffinfo,
> tiffdump, tiffcp and tiffset), whose maintenance will be discontinued, due
> to the lack of contributors able to address reported security issues.
> Starting with libtiff v4.6.0, their source code, at this time ,will still be
> available in the source distribution, but they will no longer be built by
> default, and issues related to them will no longer be accepted in the
> libtiff bug tracker.

I think we should continue to allow *security* issues to be reported
and tracked, but make it clear that they will not be addressed.
If the source is available, someone will try to use it; is it not 
fair that they know about security issues that others have found ?

I am not saying we do anything, but if A can be bothered to report a 
security issue, then the only reason not to let B know would be if the 
report was as dangerous as the flaw ?
Or would this mean we would need to triage security reports ?

-- 
Andrew C. Aitchison                      Kendal, UK
                    andrew at aitchison.me.uk


More information about the gdal-dev mailing list