According to:
https://security-tracker.debian.org/tracker/CVE-2016-5696
Wheezy and Jessie are still vulnerable. The attack in question is
kind of bad (it allows blind injection of arbitrary data into
things like http downloads) and has been known for a few weeks now to
the general public.
Any idea out there when updates to the kernels in question will be
released?
I could have sworn I saw a fix for this sometime last week, as I would only have become aware of it when the security advisory was published. I built a new kernel based on 4.7 for my non-debian boxes last weekend, and assumed the regular updates would take care of Debian. I've long since deleted the email of course, but I am not sure how I would have even known there was an issue unless there had been one of the usual mails saying "this issue is fixed in...". But I agree that is not how the CVE item you linked to makes it look. Could there be a duplicate, with all the updates on the other one?
Mark