On Thu, Apr 27, 2017 at 01:04:54PM +0200, Bolesław Tokarski wrote: > Hi, > > > See https://security-tracker.debian.org/tracker/CVE-2016-10328 > > Nice, I see it's in 'fixed' state in 2.5.2-3+deb8u1 already. I guess it was > not > clear that this does not affect that version last time I checked - I remember > it was 'vulnerable' back then (April 21st).
"fixed" in that page applies to both "patched" and "not affected to begin with", so it was only tagged as "fixed" after I had investigated CVE-2016-10328 to be a non-issue for stable and commited that to the security tracker DB. > > CVE-2016-10244 was only scheduled for the next point release due to low > > impact, but in the light of the new CVE-2017-8105, it'll be fixed in a DSA > > as well. > > I see a previous CVE fixed in Debian-LTS still lights up in jessie: > https://security-tracker.debian.org/tracker/CVE-2016-10244 > > Do you happen to know if that one's coming out in a DSA? Yes, that will be included in the next DSA. Cheers, Moritz
