Hi, I am currently porting freej2me to nixpkgs (a linux package repository). Unfortunately, the package is stuck in draft due to the Freeimage dependency, which is littered with CVEs:
CVE-2021-33367
CVE-2021-40262
CVE-2021-40263
CVE-2021-40264
CVE-2021-40265
CVE-2021-40266
CVE-2023-47992
CVE-2023-47993
CVE-2023-47994
CVE-2023-47995
CVE-2023-47996
Due to the insecure nature of the dependency, it cannot be merged at the current state. I know that freej2me may not have high security concerns as it isn't a critical application, but I think using a freeimage should be avoided in it's current state.
I hope this can mark the start to migrating towards a vulnerability-free graphics library.
Hi, I am currently porting
freej2meto nixpkgs (a linux package repository). Unfortunately, the package is stuck in draft due to theFreeimagedependency, which is littered with CVEs:Due to the insecure nature of the dependency, it cannot be merged at the current state. I know that freej2me may not have high security concerns as it isn't a critical application, but I think using a freeimage should be avoided in it's current state.
I hope this can mark the start to migrating towards a vulnerability-free graphics library.