Dear LTS Team, Since ming is still being used on many systems [1] of I have prepared fixes for the known vulnerabilities [2] and upstreamed them. While preparing the fixes I could not avoid noticing the lack of proper input checking at numerous other places which could be exploited for various kinds of attacks.
I have closed many security holes, but there are still way more than we could handle thus I suggest marking ming as not supported in the debian-security-support package. Before doing so I would happily update the package with the patches I have already prepared and issue a DLA also mentioning that the package is still not safe to use on untrusted data. What do you think? Cheers, Balint [1] https://qa.debian.org/popcon.php?package=ming [2] https://github.com/libming/libming/pull/63
