Leo Famulari <[email protected]> skribis: > On Thu, Jul 28, 2016 at 03:23:37AM -0400, Leo Famulari wrote: >> libgd 2.2.3 has been released [0], which includes fixes for >> CVE-2016-6207. > > Instead of updating to 2.2.3, we could also try cherry-picking the > upstream commits that address this bug, as attached.
Are there any good reasons not to update? I would tend to update, which sounds simpler and will have to be done anyway, but maybe I’m overlooking something. Thanks for taking care of this, Ludo’.
