On Sun, 15 Sep 2024 at 23:18:53 +0200, Moritz Mühlenhoff wrote:
> The following vulnerability was published for vte. This is already addressed
> in vte2.91, but also filing this for completeness for the deprecated source
> package:
>
> CVE-2024-37535[0]:
> | GNOME VTE before 0.76.3 allows an attacker to cause a denial of
> | service (memory consumption) via a window resize escape sequence, a
> | related issue to CVE-2000-0476.
I think this is wontfix. The only reason why the GTK2-based vte is still
in Debian at all is for the benefit of debian-installer, which hasn't
caught up with GTK3 yet.
In principle we could remove the .deb and leave only the .udeb, but I think
that would make it harder to test vte, so is probably not a great idea.
It would probably make sense to add vte to the list of packages that don't
have security support.
smcv
