On Wed, Jan 17, 2018 at 09:05:18PM +0100, Pali Rohár wrote: > Hi! Package request-tracker4 depends on libemail-address-perl which is > vulnerable to CVE-2015-7686, see bug #868170. libemail-address-perl > provides perl module Email::Address which is now unmaintained. There is > a new perl module Email::Address::XS which is API compatible replacement > for Email::Address and is available in libemail-address-xs-perl. Please > port request-tracker4 package to use libemail-address-xs-perl. If you need > help with porting let me know.
Thanks for the heads up. Upstream is going to look at this for the 4.6 cycle. Given that request-tracker4 is far from being the only reverse dependency at the moment, I don't plan to look at accelerating this, but I would happily take a working patch into Debian sooner. Cheers, Dominic.
