On Mon, Sep 5, 2016 at 12:06 AM Salvatore Bonaccorso <car...@debian.org> wrote:
> -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA512 > > - ------------------------------------------------------------------------- > Debian Security Advisory DSA-3653-2 secur...@debian.org > https://www.debian.org/security/ Salvatore Bonaccorso > September 04, 2016 https://www.debian.org/security/faq > - ------------------------------------------------------------------------- > > Package : flex > CVE ID : CVE-2016-6354 > Debian Bug : 832768 835542 > > It was reported that the update for flex as released in DSA-3653-1 did > not completely address CVE-2016-6354 as intended due to problems in the > patch handling and regenerated files during the build. Additionally a > regression was introduced, causing new warnings when compiling flex > generated code. Updated packages are now available to address these > problems. For reference, the relevant part of the original advisory > text follows. > > Alexander Sulfrian discovered a buffer overflow in the > yy_get_next_buffer() function generated by Flex, which may result in > denial of service and potentially the execution of code if operating on > data from untrusted sources. > > Affected applications need to be rebuild. > > For the stable distribution (jessie), this problem has been fixed in > version 2.5.39-8+deb8u2. > > We recommend that you upgrade your flex packages. > > Further information about Debian Security Advisories, how to apply > these updates to your system and frequently asked questions can be > found at: https://www.debian.org/security/ > > Mailing list: debian-security-annou...@lists.debian.org > > This only references a fix for stable. Does that mean that the version in stretch / sid did not suffer from the regression? Mark
