Hi, Am Freitag, dem 27.08.2021 um 14:03 +0200 schrieb Sylvain Beucler: > Hi, > > I wrote an analysis in June > https://lists.debian.org/debian-lts/2021/06/msg00024.html > https://lists.debian.org/debian-lts/2021/06/msg00040.html > > I believe we should postpone these CVEs with the goal of tracking how > /upstream/ reverse dependencies are adapting to the removal of the > blacklist, and backport the changes to the /packaged/ reverse dependencies. Let me test the new whitelist approach in unstable first. I intend to upload version 1.4.18 to unstable today. If there are no regressions we can just switch to the whitelist because this is the most secure one. On the other hand we can still keep adding problematic types to the blacklist for now which is not too difficult either. These workarounds are documented here: https://x-stream.github.io/security.html#workaround In my opinion we should not ignore the CVE but choose one of the two solutions going forward. Regards, Markus
Attachment:
signature.asc
Description: This is a digitally signed message part