Hi, > See https://security-tracker.debian.org/tracker/CVE-2016-10328
Nice, I see it's in 'fixed' state in 2.5.2-3+deb8u1 already. I guess it was not clear that this does not affect that version last time I checked - I remember it was 'vulnerable' back then (April 21st). > CVE-2016-10244 was only scheduled for the next point release due to low > impact, but in the light of the new CVE-2017-8105, it'll be fixed in a DSA > as well. I see a previous CVE fixed in Debian-LTS still lights up in jessie: https://security-tracker.debian.org/tracker/CVE-2016-10244 Do you happen to know if that one's coming out in a DSA? We're keeping a special watchout for freetype due to our special use case, where a potential DoS or memory access is a real one. Again, thanks for your efforts, and for keeping freetype secure and patched. Good work! Regards, Bolesław Tokarski
