Hi, El 30/12/15 a las 01:49, Ben Hutchings escribió: > Hello dear maintainer(s), > > the Debian LTS team would like to fix the security issues which are > currently open in the Squeeze version of librsvg: > https://security-tracker.debian.org/tracker/CVE-2015-7557 > https://security-tracker.debian.org/tracker/CVE-2015-7558
Regarding Squeeze and AFAICS, while the fix for CVE-2015-7557 is simple, the CVE-2015-7558 is not trivial. It has been fixed by many changes in the checks of cyclic references, using the new rsvg_acquire_node function (i.e. https://git.gnome.org/browse/librsvg/commit/?id=a51919f7e1ca9c535390a746fbf6e28c8402dc61). I cannot find info about how CVE-2015-7558 is exploitable, but I'd say that is no-dsa. What do you think? What's the security team position about it? Cheers, Santiago
signature.asc
Description: Digital signature
