On Mon, Jun 22, 2020 at 01:55:35PM +0200, Salvatore Bonaccorso wrote: > Hi Roberto, > > On Mon, Jun 15, 2020 at 04:05:15PM -0400, Roberto C. Sánchez wrote: > > On Mon, Jun 15, 2020 at 08:28:14PM +0100, Adam D. Barratt wrote: > > > Control: tags -1 -moreinfo + confirmed > > > > > > On Thu, 2018-11-01 at 21:07 -0400, Roberto C.Sánchez wrote: > > > > On Thu, Nov 01, 2018 at 06:50:53PM +0000, Adam D. Barratt wrote: > > > > > Control: tags -1 + moreinfo > > > > > > > > > > On Wed, 2018-10-31 at 23:25 -0400, Roberto C. Sanchez wrote: > > > > > > I have prepared an update for exiv2 in jessie (0.24-4.1+deb8u2) > > > > > > related to CVE-2018-16336 and also including a minor fix to the > > > > > > previous patch for CVE-2018-10958 and CVE-2018-10999. > > > > > > > > > > The Security Tracker indicates that CVE-2018-16336 is as-yet > > > > > unfixed in unstable; is that correct? > > > > > > > > > Hi Adam, > > > > > > > > That is correct. I completely overlooked it. I will check with the > > > > maintainers about their plans for unstable. > > > > > > > > > > It looks like that eventually happened, early this year(!). > > > > > > If this is still something that you're interested in fixing for > > > stretch, please go ahead. > > > > > The work has already been done, so I will go ahead with an upload > > shortly. > > Given the target fix now for 9.13, can you as well do a corresponding > buster update to avoid a regression from updates from stretch to > buster? > The upstream version for exiv2 is the same in buster and stretch, so I think it should be a trivial update. I will upload exiv2 0.25-4+deb10u1 targeted at suite "buster" within the next 24 hours.
Regards, -Roberto -- Roberto C. Sánchez
