On January 27, 2018 2:30:45 PM UTC, Salvatore Bonaccorso <car...@debian.org> wrote: >Hi Scott, > >On Sat, Jan 27, 2018 at 02:05:59PM +0000, Scott Kitterman wrote: >> fixed 888484 0.99.3~beta2+dfsg-1 >> >> Everyone: >> >> Please leave the status of this bug to the package maintainers. >> We've checked and all the security issues in the new 0.99.3 release >> were previously addressed in the beta that's in testing/unstable. >> >> If you think this is incorrect, provide specific information about >> why (i.e. point to the code). Don't change the status of the bug. >> You aren't helping. > >This though was not clear at all from >https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=888484#29 where the >bug was marked fixed in 0.99.3~beta2+dfsg-1, were Sebastian did wrote: > >> I *think* the crashes you obsereved might be due to FD desc issue. >This >> was fixed in Stretch by chance but not in Jessie. However the >remaining >> CVEs were not addressed yet and I'm looking into it… >> >> [0] >http://blog.clamav.net/2018/01/update-on-recent-file-descriptors-issue.html > >So "the remaining CVEs were not address yet" part. > >I take your last email as confirmation that they indeed *are* fixed in >0.99.3~beta2+dfsg-1 and have updated the security-tracker information >as such.
Thanks. This is a bit of a confusing mess (thanks upstream). My understanding is that the remaining ones are ones that are addressed in the beta in unstable/testing, but not the new release. If I find out different, I'll be sure to update the tracker. Scott K
