Hi, On Thu, Jul 11, 2019 at 05:21:38PM +0200, Vladyslav Cherednychenko wrote: > Dear Debian Security Team, > I noticed that the latest available cron package in the stable > distribution of Debian Stretch is vulnerable to CVE-2017-9525: > https://security-tracker.debian.org/tracker/CVE-2017-9525 > https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=864466 > > It seems like this issue has been known for a while now and fixed. > Are there plans to include cron version 3.0pl1-129 to the stable > release of Debian Stretch?
There are currently no plans to update the cron package to adress this issue only. The issue is severity wise minor, and would not warrant a DSA on its own. It can be fixed in a point release, but ideally picking up other src:cron issues which are open for stretch in a point release. Regards, Salvatore
