On 20.06.2016 10:56, Brian May wrote: > Brian May <bam@debian.org> writes: > >> Markus Koschany <apo@debian.org> writes: >> >>> I just had a closer look at the vulnerabilities. I have marked >>> CVE-2016-5103, CVE-2015-2181 and CVE-2015-2180 as not-affected because >>> the vulnerable code is not present in this version. There is no upstream >>> fix available for CVE-2016-4086. >>> >>> That leaves us with CVE-2015-8864 and CVE-2016-4096 whereby the latter >>> needs more investigation. Some affected plugins don't exist in Wheezy, >>> the rest of the code is quite different. >>> >>> If you agree I intend to fix the two CVEs shortly. At the moment I think >>> a backport is not necessary. >> >> Not sure if you were asking me or the mailing list, however no >> objections from me. I say go ahead and do it. > > Did you still want to do this? > Yes, it is done but I haven't found the time to properly test it yet. I expect an announcement this month. Regards, Markus
Attachment:
signature.asc
Description: OpenPGP digital signature