Brian May <b...@debian.org> writes: > Markus Koschany <a...@debian.org> writes: > >> I just had a closer look at the vulnerabilities. I have marked >> CVE-2016-5103, CVE-2015-2181 and CVE-2015-2180 as not-affected because >> the vulnerable code is not present in this version. There is no upstream >> fix available for CVE-2016-4086. >> >> That leaves us with CVE-2015-8864 and CVE-2016-4096 whereby the latter >> needs more investigation. Some affected plugins don't exist in Wheezy, >> the rest of the code is quite different. >> >> If you agree I intend to fix the two CVEs shortly. At the moment I think >> a backport is not necessary. > > Not sure if you were asking me or the mailing list, however no > objections from me. I say go ahead and do it.
Did you still want to do this? -- Brian May <b...@debian.org>
