Moritz Muehlenhoff wrote: > On Fri, Mar 24, 2017 at 07:41:03AM -0400, Scott Howard wrote: > > I was contacted by someone at SUSE that is working on fixing the security > > bugs - but even if successful, I don't know how good the quality will be or > > how much testing will be able to get done before stretch is released. > > Removal might be safest option > > Unfortunately removal didn't work our for stretch and will have to wait > for buster.
Since the stretch release is coming close and since Scott is on the LowNMU list I've uploaded an NMU. CVE-2017-5980 isn't mentioned in the patch names, but I've confirmed with the reproducers that it's fixed as well. CVE-2017-5977 still needs to be checked, it might be fixed along with zziplib-CVE-2017-5974.patch or zziplib-CVE-2017-5976.patch, but needs further investigation. It's only a memory overread, so if it misses the stretch release that's not a big deal. Cheers, Moritz