Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <7e93b4f6-2ccd-4859-97b4-d51d61b95694@oracle.com>
Date: Wed, 3 Dec 2025 13:09:49 -0800
From: Alan Coopersmith <alan.coopersmith@...cle.com>
To: oss-security@...ts.openwall.com, Cosmin Truta <ctruta@...il.com>
Subject: Re: libpng 1.6.52: Out-of-bounds vulnerability fixed:
 CVE-2025-66293

On 12/3/25 12:51, Cosmin Truta wrote:
> Hello, everyone,
> 
> libpng 1.6.52 has been released to address an out-of-bounds read
> vulnerability in the simplified API. This release fixes one
> high-severity CVE affecting libpng 1.6.0 through 1.6.51.

Does this bug (and the recent bugs fixed in 1.6.51) not affect the older
branches of libpng, or is the statement that "libpng 1.2.x continues to get
security fixes, as has 1.0.x for well over a decade" on
https://libpng.org/pub/png/libpng.html no longer correct?

Is the statement on https://libpng.sourceforge.io/index.html that the older
branches "ARE NO LONGER UPDATED" and were frozen in 2017 the correct one now?

-- 
         -Alan Coopersmith-                 alan.coopersmith@...cle.com
          Oracle Solaris Engineering - https://blogs.oracle.com/solaris

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.