Recent flex security announcement

I have a feeling I'm about to embarrass myself by displaying either ignorance or a failure to spot the obvious, but here goes...

The other day there was a Debian security advisory about the flex package. In my Debian machines, the fix can be installed by the usual apt commands.

However I also have Linux machines that don't use a package management system, and there I also have a version of flex with the vulnerability, so I wanted to get the source tarball of the fixed version (v2.6.1) so I could build it for there too.

And the only place I can find 2.6.1 is on debian's package website. The latest version the upstream site (source forge) has is v2.6.0 which as I understand it has the vulnerability.

Anyone know what the deal is here?

Mark

Reply to:

Follow-Ups:

Re: Recent flex security announcement
- From: Greg Wooledge <wooledg@eeg.ccf.org>