Re: Wheezy update of w3m?

[Ola Lundqvist <ola@inguza.com>]

Hi Raphael

I did not want to tag then no-dsa (without further analysis) due to the following:

1) Our recent discussion regarding heap overflow (causing arbitrary code execuition) not being protected by the compiler.

2) Stable security use no-dsa to mark that they are not immediately fixed but could be fixed in a point release. Oldstable security do not have a point release so therefore we should not use no-dsa as frequently.

However if you think they are minor enough I'll happily mark them no-dsa as well.

// Ola

On 25 November 2016 at 09:46, Raphael Hertzog <hertzog@debian.org> wrote:

Hi Ola,

On Thu, 24 Nov 2016, Ola Lundqvist wrote:
> The Debian LTS team would like to fix the security issues which are
> currently open in the Wheezy version of w3m:
> https://security-tracker.debian.org/tracker/CVE-2016-9621
> https://security-tracker.debian.org/tracker/CVE-2016-9625
> https://security-tracker.debian.org/tracker/CVE-2016-9626
> https://security-tracker.debian.org/tracker/CVE-2016-9627
> https://security-tracker.debian.org/tracker/CVE-2016-9630
> https://security-tracker.debian.org/tracker/CVE-2016-9632
> https://security-tracker.debian.org/tracker/CVE-2016-9633

The security team tagged all those "no-dsa", why do you believe that they
deserve to be fixed in wheezy?

Please tag them as no-dsa as well.

Cheers,
--
Raphaël Hertzog ◈ Debian Developer

Support Debian LTS: http://www.freexian.com/services/debian-lts.html
Learn to master Debian: http://debian-handbook.info/get/

--

 --- Inguza Technology AB --- MSc in Information Technology ----

/  ola@inguza.com                    Folkebogatan 26            \

|  opal@debian.org                   654 68 KARLSTAD            |

|  http://inguza.com/                Mobile: +46 (0)70-332 1551 |

\  gpg/f.p.: 7090 A92B 18FE 7994 0C36 4FE4 18A1 B1CF 0FE5 3DD9  /

 ---------------------------------------------------------------