Use compiled libwebp to mitigate CVE-2023-4863

webp-sh / webp_server_go

Go version of WebP Server. A tool that will serve your JPG/PNG/BMP/SVGs as WebP/AVIF format with compression, on-the-fly.

https://docs.webp.sh

GNU General Public License v3.0

1.79k stars 174 forks source link

Use compiled libwebp to mitigate CVE-2023-4863 #276

Closed n0vad3v closed 1 year ago

n0vad3v commented 1 year ago

libwebp CVE is fixed on https://chromium.googlesource.com/webm/libwebp/+/refs/tags/v1.3.2 tag 1.3.2

security fix for lossless decoder (chromium: #1479274, CVE-2023-4863)

While libwebp-dev package on debian-bookworm is still 1.2.4 (1.2.4-0.2+deb12u1), we need to compile libwebp to mitigate this CVE before new libwebp-dev is released.

github-actions[bot] commented 1 year ago


ghcr.io/webp-sh/webp_server_go (debian 12.1)
============================================
Total: 0 (HIGH: 0, CRITICAL: 0)