Re: ksh / CVE-2019-14868
On 13/07/2020 00:01, Brian May wrote:
> Is dla-needed.txt for Jessie or Stretch now?
> ksh was removed from dla-needed.txt for Stretch and classified "minor":
> Then it was added again:
> Should we mark it as ignored in Stretch also? Or maybe the reason (as
> given in the commit message when ksh was first removed) was wrong?
github is currently down, so I can't review the patch, but it sounds
like we don't know for sure the full impact of the vulnerability and
would be better off fixing it.