On Sun, Mar 11, 2018 at 02:02:22PM +0100, Rene Engelhard wrote: > Hi, > > On Sun, Mar 11, 2018 at 08:43:32AM +0100, Salvatore Bonaccorso wrote: > > CVE-2018-7999: > > | In libgraphite2 in graphite2 1.3.11, a NULL pointer dereference > > | vulnerability was found in Segment.cpp during a dumbRendering > > | operation, which may allow attackers to cause a denial of service or > > | possibly have unspecified other impact via a crafted .ttf file. > > > > If you fix the vulnerability please also make sure to include the > > CVE (Common Vulnerabilities & Exposures) id in your changelog entry. > > > > For further information see: > > > >  https://security-tracker.debian.org/tracker/CVE-2018-7999 > > https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-7999 > >  https://github.com/silnrsi/graphite/issues/22 > > upstream fix backported. Uploaded to sid. > > Merged this for jessie and stretch, too. See attached debdiffs. Want me > to upload for a DSA?
This doesn't warrant a DSA, we can either postpone until the next more severe graphite vulnerabity or fix it via a point update. Cheers, Moritz