Dear Raphaël Hertzog; Peter Degen-Portnoy of the Black Duck Open Hub development team here. We maintain Ohcount and are aware of the defect. An issue has been opened in the GitHub repository for Ohcount: https://github.com/blackducksoftware/ohcount/issues/57
Work is currently underway to address the defect. Sincerely, Peter Degen-Portnoy ----------- Black Duck Software Peter Degen-Portnoy Software Engineering Manager / Open Hub Team Lead Black Duck Software Black Duck Open Hub<https://www.openhub.net/> On Thu, 23 Nov 2017 11:40:11 +0100 Raphael Hertzog wrote: > Hello Sylvestre, > > The Debian LTS team would like to fix the security issues which are > currently open in the Wheezy version of ohcount: > https://security-tracker.debian.org/tracker/CVE-2017-16926 > > Would you like to take care of this yourself? > > I tried to file an upstream bug as a first step (since there is not patch > available yet) but there is no upstream bug tracker apparently... and last > upstream activity dates back to 2010. I pinged the project owner on > sourceforge with its integrated messaging feature but I'm not sure that I > will get any reply back. > > Do you have contacts with the upstream authors ? > > In any case, if you want to handle the wheezy upload, then > please follow the workflow we have defined here: > https://wiki.debian.org/LTS/Development > > If that workflow is a burden to you, feel free to just prepare an > updated source package and send it to debian-...@lists.debian.org > (via a debdiff, or with an URL pointing to the source package, > or even with a pointer to your packaging repository), and the members > of the LTS team will take care of the rest. Indicate clearly whether you > have tested the updated package or not. > > If you don't want to take care of this update, it's not a problem, we > will do our best with your package. Just let us know whether you would > like to review and/or test the updated package before it gets released. > > You can also opt-out from receiving future similar emails in your > answer and then the LTS Team will take care of ohcount updates > for the LTS releases. > > Thank you very much. > > Raphaël Hertzog, > on behalf of the Debian LTS team. > > PS: A member of the LTS team might start working on this update at > any point in time. You can verify whether someone is registered > on this update in this file: > https://anonscm.debian.org/viewvc/secure-testing/data/dla-needed.txt?view=markup > -- > Raphaël Hertzog ◈ Debian Developer > > Support Debian LTS: https://www.freexian.com/services/debian-lts.html > Learn to master Debian: https://debian-handbook.info/get/ > >