Hi Raphael I did not want to tag then no-dsa (without further analysis) due to the following: 1) Our recent discussion regarding heap overflow (causing arbitrary code execuition) not being protected by the compiler. 2) Stable security use no-dsa to mark that they are not immediately fixed but could be fixed in a point release. Oldstable security do not have a point release so therefore we should not use no-dsa as frequently.
However if you think they are minor enough I'll happily mark them no-dsa as well. // Ola On 25 November 2016 at 09:46, Raphael Hertzog <hert...@debian.org> wrote: > Hi Ola, > > On Thu, 24 Nov 2016, Ola Lundqvist wrote: > > The Debian LTS team would like to fix the security issues which are > > currently open in the Wheezy version of w3m: > > https://security-tracker.debian.org/tracker/CVE-2016-9621 > > https://security-tracker.debian.org/tracker/CVE-2016-9625 > > https://security-tracker.debian.org/tracker/CVE-2016-9626 > > https://security-tracker.debian.org/tracker/CVE-2016-9627 > > https://security-tracker.debian.org/tracker/CVE-2016-9630 > > https://security-tracker.debian.org/tracker/CVE-2016-9632 > > https://security-tracker.debian.org/tracker/CVE-2016-9633 > > The security team tagged all those "no-dsa", why do you believe that they > deserve to be fixed in wheezy? > > Please tag them as no-dsa as well. > > Cheers, > -- > Raphaël Hertzog ◈ Debian Developer > > Support Debian LTS: http://www.freexian.com/services/debian-lts.html > Learn to master Debian: http://debian-handbook.info/get/ > -- --- Inguza Technology AB --- MSc in Information Technology ---- / o...@inguza.com Folkebogatan 26 \ | o...@debian.org 654 68 KARLSTAD | | http://inguza.com/ Mobile: +46 (0)70-332 1551 | \ gpg/f.p.: 7090 A92B 18FE 7994 0C36 4FE4 18A1 B1CF 0FE5 3DD9 / ---------------------------------------------------------------