Hi Martin, On Sat, Jan 26, 2019 at 01:18:17PM -0300, Martin Michlmayr wrote: > * Salvatore Bonaccorso <car...@debian.org> [2017-09-24 17:57]: > > the following vulnerability was published for ledger. > > > > CVE-2017-2808[0]: > > | An exploitable use-after-free vulnerability exists in the account > > This has been fixed upstream: > https://github.com/ledger/ledger/commit/f3bad93db256db07b6cb831d4d24f47543f57e4a > We're also working on releasing 3.1.2 with fixes for all 4 CVE items.
Thanks for the update! > I consider this (and all the other CVE issues filed against ledger) > low impact. Salvatore/David, do you want to make a release for > stable? They were marked already no-dsa, so defintively to agree no DSA itself is needed. But if you think they are worh fixing in stable, then they can go via a upcoming point release. > Salvatore, can you tell me how to inform CVE/Mitre once 3.1.2 is out > that these CVEs have been addressed? You can request an update of the CVE entry adding details via the webform at https://cveform.mitre.org/ Hope this helps, Regards, Salvatore
