Re: [SECURITY] [DLA 918-1] freetype security update

To: Moritz Muehlenhoff <jmm@debian.org>
Cc: debian-lts@lists.debian.org
Subject: Re: [SECURITY] [DLA 918-1] freetype security update
From: Bolesław Tokarski <btokarski@opera.com>
Date: Thu, 27 Apr 2017 13:04:54 +0200
Message-id: <[🔎] 1978543.eO86rqpzUR@btokarski>
In-reply-to: <[🔎] 20170427091604.GA30401@inutil.org>
References: <853dcb16-7b78-fddd-29c0-4bad6bea3c7d@debian.org> <[🔎] 5681174.NNBnHsykpM@btokarski> <[🔎] 20170427091604.GA30401@inutil.org>

Hi,

> See https://security-tracker.debian.org/tracker/CVE-2016-10328

Nice, I see it's in 'fixed' state in 2.5.2-3+deb8u1 already. I guess it was not 
clear that this does not affect that version last time I checked - I remember 
it was 'vulnerable' back then (April 21st).

> CVE-2016-10244 was only scheduled for the next point release due to low
> impact, but in the light of the new CVE-2017-8105, it'll be fixed in a DSA
> as well.

I see a previous CVE fixed in Debian-LTS still lights up in jessie: 
https://security-tracker.debian.org/tracker/CVE-2016-10244

Do you happen to know if that one's coming out in a DSA?

We're keeping a special watchout for freetype due to our special use case, 
where a potential DoS or memory access is a real one.

Again, thanks for your efforts, and for keeping freetype secure and patched. 
Good work!

Regards,
Bolesław Tokarski

Reply to:

Follow-Ups:
- Re: [SECURITY] [DLA 918-1] freetype security update
  - From: Moritz Muehlenhoff <jmm@inutil.org>

References:
- Re: [SECURITY] [DLA 918-1] freetype security update
  - From: Bolesław Tokarski <btokarski@opera.com>
- Re: [SECURITY] [DLA 918-1] freetype security update
  - From: Moritz Muehlenhoff <jmm@debian.org>

Prev by Date: Re: [SECURITY] [DLA 918-1] freetype security update
Next by Date: Re: [SECURITY] [DLA 918-1] freetype security update
Previous by thread: Re: [SECURITY] [DLA 918-1] freetype security update
Next by thread: Re: [SECURITY] [DLA 918-1] freetype security update
Index(es):
- Date
- Thread