Hi Salvatore, El 18/01/16 a las 08:57, Salvatore Bonaccorso escribió: > Hi Santiago, > > Sorry for the late reply. >
No worries! > On Sat, Jan 09, 2016 at 07:06:35PM +0100, Santiago Ruano Rincón wrote: > > Hi, > > > > El 30/12/15 a las 01:49, Ben Hutchings escribió: > > > Hello dear maintainer(s), > > > > > > the Debian LTS team would like to fix the security issues which are > > > currently open in the Squeeze version of librsvg: > > > https://security-tracker.debian.org/tracker/CVE-2015-7557 > > > https://security-tracker.debian.org/tracker/CVE-2015-7558 > > > > Regarding Squeeze and AFAICS, while the fix for CVE-2015-7557 is simple, > > the CVE-2015-7558 is not trivial. It has been fixed by many changes in the > > checks of cyclic references, using the new rsvg_acquire_node function > > (i.e. > > https://git.gnome.org/browse/librsvg/commit/?id=a51919f7e1ca9c535390a746fbf6e28c8402dc61). > > > > I cannot find info about how CVE-2015-7558 is exploitable, but I'd say > > that is no-dsa. What do you think? What's the security team position > > about it? > > I have marked one issue as no-dsa for wheezy- and jessie > (CVE-2015-7557). I had prepared a squeeze package to fix it, and even if it isn't a critical issue, I prefer to upload it given that the work is done. > Regarding CVE-2015-7558, not sure here. But if the > fix is too intrusive to backport we can mark it as <no-dsa> (Too > intrusive to backport). At least for Squeeze, it's indeed too intrusive. I haven't taken a look yet into Wheezy or Jessie. Cheers, Santiago
signature.asc
Description: PGP signature
