Hi, On Wed, Apr 20, 2016 at 11:01:29PM +0200, Sebastian Andrzej Siewior wrote: > On 2015-03-15 06:42:08 [+0100], Salvatore Bonaccorso wrote: > > On Tue, Feb 17, 2015 at 10:07:06AM +0000, Patrick Coleman wrote: > > > * Remote null pointer dereference > > > A remote user can cause a null pointer dereference by sending a > > > malformed Authorization: header. > > > http://patrick.ld.net.au/libcsoap/nanohttp-nullp-1.patch > > > > For this issue CVE-2015-2297 was assigned. > > What do we do here? That bug is open for slightly over a year with a > security tag and zero activity. We had two patches here which do now > 404. popcon goes down and it could have something todo with not beeing > part of stable. The current binary depends on libssl1.0.0 which has no > source, a binNMU would fix it (just tried, that is why I stumbled over > it). > So we fix this? Do we remove it? In case we want to fix, has someone a > copy of the two patches?
Given the package looks unmaintained (last update by maintainer back in 20 Jun 2010, I think it is the best option to remove the package as well from unstable). It is already gone in testing, so will not be included in stretch and neither was in jessie. Regards, Salvatore
signature.asc
Description: Digital signature
