Hi, Sorry, I messed this up.
The fix for CVE-2016-8569 was included in the 0.24.2-1 release but the fix for CVE-2016-8568 wasn't. Sorry about that, I have pushed a new version to unstable that includes the fix, the version is 0.24.5-1. I realised the mistake when I was reviewing some diffs before an upload yesterday. Salvatore Bonaccorso <car...@debian.org> writes: > Source: libgit2 > Version: 0.24.1-2 > Severity: grave > Tags: security upstream > > Hi, > > the following vulnerabilities were published for libgit2. > > CVE-2016-8568[0, 3]: > Read out-of-bounds in git_oid_nfmt > > CVE-2016-8569[1, 4]: > DoS using a null pointer dereference in git_commit_message > > If you fix the vulnerabilities please also make sure to include the > CVE (Common Vulnerabilities & Exposures) ids in your changelog entry. > > For further information see: > > [0] https://security-tracker.debian.org/tracker/CVE-2016-8568 > [1] https://security-tracker.debian.org/tracker/CVE-2016-8569 > [2] https://marc.info/?l=oss-security&m=147594097425642&w=2 > [3] https://github.com/libgit2/libgit2/issues/3936 > [4] https://github.com/libgit2/libgit2/issues/3937 > [5] https://github.com/libgit2/libgit2/pull/3956 > > Please adjust the affected versions in the BTS as needed. > > Regards, > Salvatore -- Cheers, Russell
