Bug#912531: stretch-pu: package exiv2/0.25-3.1+deb9u2

["Adam D. Barratt" <adam@adam-barratt.org.uk>]

On Sun, 2019-03-31 at 15:44 -0400, Roberto C.Sánchez wrote:
> On Sun, Mar 31, 2019 at 08:09:27PM +0100, Adam D. Barratt wrote:
> > On Thu, 2018-11-01 at 21:07 -0400, Roberto C.Sánchez wrote:
> > > On Thu, Nov 01, 2018 at 06:50:53PM +0000, Adam D. Barratt wrote:
> > > > Control: tags -1 + moreinfo
> > > > 
> > > > On Wed, 2018-10-31 at 23:25 -0400, Roberto C. Sanchez wrote:
> > > > > I have prepared an update for exiv2 in jessie (0.24-
> > > > > 4.1+deb8u2)
> > > > > related to CVE-2018-16336 and also including a minor fix to
> > > > > the
> > > > > previous patch for CVE-2018-10958 and CVE-2018-10999.
> > > > 
> > > > The Security Tracker indicates that CVE-2018-16336 is as-yet
> > > > unfixed in
> > > > unstable; is that correct?
> > > > 
> > > 
> > > Hi Adam,
> > > 
> > > That is correct.  I completely overlooked it.  I will check with
> > > the
> > > maintainers about their plans for unstable.
> > 
> > Was there any progress there? The issue is still marked as
> > affecting
> > unstable in the tracker.
> > 
> No real progress.  I sent a message [0] to the packaging team's
> mailing
> list that same day (1st November).  Salvatore responded a few days
> later, but there was no response after that.
> 
> Regards,
> 
> -Roberto
> 
> [0] 
> https://alioth-lists.debian.net/pipermail/pkg-kde-extras/2018-November/029728.html
> 

Still nothing? We're about to hit 10 months since the initial request.
:-(

Regards,

Adam