Fedora has issued an advisory on December 24: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/FYQLNAB3ZRR7U66VC3ANQHVU3MO5E3QD/ Corresponding upstream commit and pull request: https://github.com/json-c/json-c/commit/5ea6a05bfa43c9ba438fbc0eaea600edd6d72b88 https://github.com/json-c/json-c/pull/389 Frankly I disagree with the patch and the reasoning. It violates the "don't leave assertions turned on in production code" mantra, which in general can cause DoS issues, but in this case if the issue can be triggered, you already have that problem. It sounds to me like "libu2f-server and sway" (whatever they are) are buggy and doing something wrong and this patch is pointless.
Assigning to the registered maintainer. CC'ing all packagers collectively and some committers, because the cauldron changelog of this package doesn't mention the maintainer.
CC: (none) => cjw, marja11, oe, olav, pkg-bugsAssignee: bugsquad => mageia
Status comment: (none) => The validity of this issue is debatable
Mageia 6 is EOL.
CC: (none) => mramboResolution: (none) => OLDStatus: NEW => RESOLVED