On Mon, Apr 08, 2024 at 01:59:55PM +0200, Sylvain Beucler wrote:
> Hi,
>
> I think this requires a bit of coordination:
> - the package is basically dead upstream, there hasn't been a fix in the
> official repos, neither Debian or other distros attempted to fix them
Some of the past fixes got addressed by upstream. But the recent people
who run fuzzers never reported them upstream to the rather byzantine
Sourceforge bug tracker and only posted it some unrelated tree on
Github to get a CVE assigned.
So a useful next step would be to break those reports down into separate
bug reports and file them there so that upstream actually learns about
them.
Cheers,
Moritz
