Hi Team,
Could you please let us know the status of mentioned CVE “CVE-2021-27845”
Does it impact Package “jasper-2.0.14-5.el8.x86_64.rpm”
Regards,
Neha Juneja
Hi Team,
Could you please let us know the status of mentioned CVE “CVE-2021-27845”
Does it impact Package “jasper-2.0.14-5.el8.x86_64.rpm”
Regards,
Neha Juneja
For some reason Red Hat has no entry for CVE-2021-27845. One should ask Red Hat why they don’t.
Furthermore, AlmaLinux 8 has only jasper-libs
but no jasper
.
Looks like jasper
is not “included in” el8, unlike el7 and el9 that do have it.
There is jasper
in AlmaLinux 8 Devel, but AlmaLinux Repositories | AlmaLinux Wiki says:
Content in the Devel repo includes packages that are not normally provided in the base nor extra repositories, but needed for build-time dependencies of other packages. Devel is NOT meant to satisfy runtime dependencies or for long term use on general purpose machines.
CVE in package that is supposedly not in use nor mentioned by Red Hat isn’t on the top of todo list, is it? Then again, the jasper-libs
is clearly in el8, so the CVE could perhaps apply.
Look, here’s the source for AlmaLinux 8’s version of jasper:
The patch for CVE-2021-27845 looks like this and is not included:
That’s something you could ask Red Hat, the package was taken as is from their sources. I don’t know when or if this is fixed. You could patch it yourself to be on the safe side.
I have created an issue at the Red Hat bug tracker:
https://issues.redhat.com/browse/RHEL-25160
Given that it’s a 5.5-Medium score, it won’t likely be a high priority for Red Hat to patch unless customers tell them that they are specifically impacted by it. That doesn’t mean someone from the AlmaLinux community can’t still submit a patch to it here and upstream via CentOS Stream.