Hi Aljoscha, On Wed, Apr 17, 2019 at 12:23:54PM +0200, Jonas Smedegaard wrote: > Quoting Aljoscha Lautenbach (2019-04-16 22:27:47) > > > @Aljoscha: Thanks for your initial work and - more so - for > > > committing to help generally looking after these security issues in > > > libsaass. > > > > > Due to the expansion of the libsass team with Aljoscha, I am > > > lowering severity of this bugreport. > > > > Just in case that was not clear in my initial message, that is indeed > > the intention. On any given week I can spend 0.5 to 4 hours on this, > > so this will not be an instantaneous change, but a slow and steady > > effort. > > > > I have continued to update the little CVE table I sent earlier, and I > > will start to update and file bugs accordingly soon (where "soon" ~= 3 > > weeks, due to upcoming vacation).
Please work through the security tracker, at least for several of the 2017 they are probably already fixed in buster's version. https://security-tracker.debian.org/tracker/source-package/libsass You can also submit updates yourself via https://security-tracker.debian.org/tracker/data/report Cheers, Moritz