On Mon, Aug 27, 2018 at 05:40:01PM +0800, Bjoern wrote: > -- Begin Quote: ---------------------- > From: Chris Lamb <la...@debian.org> > To: 906...@bugs.debian.org > Cc: t...@security.debian.org > Subject: Re: libxcursor: CVE-2015-9262 > Date: Mon, 13 Aug 2018 08:18:27 +0100 > > [Message part 1 (text/plain, inline)] > > Hi security team, > > > libxcursor: CVE-2015-9262 > > I have prepared an update for stretch: > > libxcursor (1:1.1.14-1+deb9u2) stretch-security; urgency=high > > * Non-maintainer upload by the Security Team. > * Fix a denial of service or potentially code execution via > a one-byte heap overflow. (CVE-2015-9262) Closes: #906012) > > -- Chris Lamb <la...@debian.org> Mon, 13 Aug 2018 09:09:13 +0200 > > > Full debdiff attached. Permission to upload to stretch-security? > -- End Quote: ------------------------ > > Hi Chris & Security Team: > > Has Chris' patch for "Stretch" gone to /dev/null ? > > "Stretch"/stable remains exposed whilst old-stable, testing, and unstable > have been patched. > > May I seek your enlightenment on this matter?
This turned out to be non-exploitable. A fix will be provided via the stretch 9.6 point release. Cheers, Moritz