Thank you. It was added to dla-needed.txt one or two days ago.
/ Ola Sent from a phone Den 27 dec 2016 22:37 skrev "Antoine Beaupré" <[email protected]>: > On 2016-12-23 17:54:11, Ola Lundqvist wrote: > > Hi > > > > I have looked into CVE-2016-9586 affecting curl. > > What I'm trying to figure out is whether it is worth the effort to fix > > it or not. > > > > More info here: > > https://curl.haxx.se/docs/adv_20161221A.html > > > > 1) There are no known exploits -> minor issue (?) > > "No known exploits" is mostly irrelevant, the severity of the issue > is. In this case, a buffer overflow is severe enough to warrant action, > in my opinion. > > > 2) The functions have been documented as deprecated for a long time > > Considering how old the software in wheezy is, this may mean we still > have some of those tools. :) > > > 3) The problem only occur on applications without proper input > > sanitizing (and using curl_mprintf) so one could even argue that this > > is not really a fault in curl at all. > > This I am more convinced by: it's the format string, not the argument, > so it's less likely to be an attack vector. But as guido said, we can't > review all the instances and we should fix this anyways. > > A. > -- > A man is none the less a slave because he is allowed to choose a new > master once in a term of years. > - Lysander Spooner >
