Hi folks, I saw that Chris added a couple of packages to dla-needed.txt and Brian already claimed binutils. In my opinion CVE-2016-6131 is not a security issue and in this case we should mark it as no-dsa. I did the same for all of the newly reported CVEs last week. In general gdb and valgrind are development tools and I'm sure there are numerous ways to craft a special executable that can make these tools crash. You won't find the circumstances in a production environment though, so I'm all for removing the packages from dla-needed.txt until there is a real security issue. The security team and others seem to agree. [1][2] Regards, Markus [1] https://security-tracker.debian.org/tracker/source-package/binutils [2] https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2016-6131
Attachment:
signature.asc
Description: OpenPGP digital signature