On Wed, Oct 12, 2022 at 03:45:11PM +0200, Sylvain Beucler wrote:
I'll give it some testing on my buster system.
Thank you. I take the absense of a further reponse as "nothing broke".
- a methodology point: if there's some uncertainty on CVE-2016-10228 (note:
which is a 2020 fix really), that neither secteam nor the maintainers
decided to fix in other Debian dists, maybe it's not worth the risk to fix
it in LTS.
I read your note that other distros (ubuntu, redhat) did so though,
contacting the maintainers could help evaluate the risk better.
Yeah. I'm fixing quite a number of issues that were not previously
considered. Even though these were non-trivial to fix, I believe that we
should fix them. Leaving them as is would mean that character conversion
involving untrusted inputs is not supported at all. Seems like a hard
sell, right?