Hi! On Wed, Dec 07, 2016 at 10:24:05AM +0000, Debian Bug Tracking System wrote: > * Apply upstream fix for CVE-2016-9841 (closes: #847270).
It looks that there was some confusion about the CVE used? I see the patch applied in this upload is the change for CVE-2016-9840, not the one for CVE-2016-9841? Can you please double-check and in case rename the patch? Futhermore the patch for CVE-2016-9841 would still be missing. For reference the CVE assingment is here: https://marc.info/?l=oss-security&m=148097605021134&w=2 > Finding 3: Out-of-bounds pointer arithmetic in inftrees.c (Low) > https://github.com/madler/zlib/commit/6a043145ca6e9c55184013841a67b2fef87e44c0 Use CVE-2016-9840. > https://github.com/madler/zlib/commit/9aaec95e82117c1cb0f9624264c3618fc380cecb Use CVE-2016-9841. Regards, Salvatore
