Salvatore Bonaccorso <car...@debian.org> writes: > Your above tracking of the commits seems correct, which would mean > that the issue was firstly introduced actually in v3.0.0 and given the > code is not found in the buster and stretch version this would not > affect hose versions indeed.
Yes, you are right. I misread the github webpage, which shows v4.0.0-preview1 in bold, but has v3.0.0 next to it. Good to know the git command to get this information, thanks for that. > So to me updating the CVE entry to not-affected for buster and stretch > (as the respective vulnerable code was introduced later) seems correct > to me. I will do so. -- Brian May <b...@debian.org>
