Well, the security issue is probably worth fixing, but it may not make sense to ship the library in stretch. No other official packages depend on it.
On Wed, Mar 22, 2017 at 12:28 PM, Andrey Rahmatullin <w...@debian.org> wrote: > On Wed, Mar 22, 2017 at 12:15:49PM -0700, Felix Lechner wrote: > > Changes since the last upload: > > > > * New upstream release. > > * New major version is 10 > > * New maintainer email address > > * Fixes a low level vulnerability for buffer overflow when loading a > > malformed temporary DH file > > * Fixes a medium level vulnerability for processing of OCSP response > > * Fixes CVE-2017-6076, a low level vulnerability for a potential cache > attack > > on RSA operations (Closes: #856114) > According to https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=856114#20 > this is not intended to be fixed in testing, is that correct? > > -- > WBR, wRAR >