Hi Tormod, On Mon, Jun 14, 2021 at 11:38:34PM +0200, Tormod Volden wrote: > This issue is marked as affecting 5.42+dfsg1-1 in buster (and even > stretch) in our CVE tracker, however the openwall report says: > > "The issue affects only XScreenSaver version 5.45. Versions 5.44 and > older, as well as 6.00, are not affected."
Correct, see as well my initial bugreport. Though on checking the code it was not immediately clear (to me) what makes earlier version not affected. Thus the general rule for us is, to err on the wrong side and have something marked as affected which is not, rather the other way around. SuSE seem to have similar issue, cf. https://bugzilla.suse.com/show_bug.cgi?id=1186918#c1 Do you have any more insights here? Regards, Salvatore
