On Thu, Apr 12, 2018 at 05:14:18PM -0500, Dirk Eddelbuettel wrote: > > Further update. I took some files from the new (in-progress, unfinished it > seems) upstream of libxls at https://github.com/evanmiller/libxls/, and got > some advice from the libxls maintainer. > > He also put new issue tickets up, one per CVE: > https://github.com/evanmiller/libxls/issues > > And that builds. It does not pass all unit tests (R / CRAN packages tend to > have lots of those) but 'almost': 4 fail, 348 pass. > > We could release this, methinks. What is your recommendation (and it has > been years since I last had to do a security release so help is as always > appreciated).
Do all of these patches/vulnerabilities apply to the version in stable? Then I'd say let's fix this via security.debian.org, see https://www.debian.org/doc/manuals/developers-reference/ch05.en.html#bug-security-building for some references. Cheers, Moritz