On 09.06.2016 09:45, Brian May wrote: > Adrian Zaugg <adi@ente.limmat.ch> writes: > >> I would vote for a backported 1.0.x version or rather remove 0.7 than 0.9. > > I couldn't find 1.0.x in Debian, so tried version 1.1.5+dfsg.1-1~bpo8+1 > from jessie-backports instead. > > Unfortunately it needs a newer version of libjs-jquery then what is > available in Wheezy: Hi, I just had a closer look at the vulnerabilities. I have marked CVE-2016-5103, CVE-2015-2181 and CVE-2015-2180 as not-affected because the vulnerable code is not present in this version. There is no upstream fix available for CVE-2016-4086. That leaves us with CVE-2015-8864 and CVE-2016-4096 whereby the latter needs more investigation. Some affected plugins don't exist in Wheezy, the rest of the code is quite different. If you agree I intend to fix the two CVEs shortly. At the moment I think a backport is not necessary. Regards, Markus
Attachment:
signature.asc
Description: OpenPGP digital signature