Re: openscenegraph 2.4.0-1.1: embedded copy of vulnerable lib3ds
In gmane.linux.debian.devel.release, you wrote:
> recently a bug has been reported for the lenny version of the
> openscenegraph 2.4.0-1.1 source package, based upon the fact that this
> package includes an embedded, vulnerable copy of the lib3ds library:
> The security team said that our proposed update did not warrant a
> security update, and that we should make a stable release instead.
> The Debian Developers of this package and me have now available a new
> version of the package which removes the embedded copy and makes the
> compilation process link the generated libraries against Debian system's
> lib3ds version. I'm attaching the diff in this mail for you to
> inspect. I wonder if the `high' priority that I have given to this
> release is fine or not.
That wouldn't buy us much, since lib3ds isn't fixed in Lenny yet, it
would need to be updated along.