Hi, On Wed, Oct 27, 2021 at 08:57:06AM +0000, Debian Bug Tracking System wrote: > This is an automatic notification regarding your Bug report > which was filed against the src:libgrokj2k package: > > #990525: libgrokj2k: CVE-2021-36089 > > It has been closed by Adam Borowski <[email protected]>. > > Their explanation is attached below along with your original report. > If this explanation is unsatisfactory and you have not received a > better one in a separate message then please contact Adam Borowski > <[email protected]> by > replying to this email. > > > -- > 990525: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=990525 > Debian Bug Tracking System > Contact [email protected] with problems
> Date: Wed, 27 Oct 2021 10:51:43 +0200 > From: Adam Borowski <[email protected]> > To: [email protected] > Subject: closing > Message-ID: <[email protected]> > > Version: 9.2.0-1 > > Fixed in never-uploaded-to-debian version that's a part of 9.5.0-1. > > libgrokj2k (9.2.0-1) unstable; urgency=high > > * Majour release > * Fixes CVE-2021-36089 (Closes: #990525) > > -- Aaron Boxer <[email protected]> Sat, 22 May 2021 11:10:00 +0200 Looking at the https://github.com/google/oss-fuzz-vulns/blob/main/vulns/grok/OSV-2021-677.yaml can you clarify what was the fix for the CVE? In particular the OSV-2021-677 still metnions explicitly from the fuzzing as well v9.5.0 as affected. Can you point me to what I'm missing and where the issue got fixed? Regards, Salvatore
