Package: libykpiv1 Severity: serious Tags: security pending stretch buster sid Justification: security
libykpiv1 versions below 1.6.0 are affected by a buffer overflow, exploitable by malicious USB devices, that can lead to arbitrary code execution. I will upload the fixed upstream version later today, and coordinate with the security team to get fixed in stretch and jessie-backports Best, nicoo -- System Information: Debian Release: buster/sid APT prefers testing APT policy: (990, 'testing'), (500, 'unstable'), (1, 'experimental') Architecture: amd64 (x86_64) Kernel: Linux 4.17.0-1-amd64 (SMP w/4 CPU cores) Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8) (ignored: LC_ALL set to en_US.UTF-8), LANGUAGE=en_US.UTF-8 (charmap=UTF-8) (ignored: LC_ALL set to en_US.UTF-8) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system) LSM: AppArmor: enabled Versions of packages libykpiv1 depends on: ii libc6 2.27-5 ii libpcsclite1 1.8.23-3 ii libssl1.1 1.1.0h-4 Versions of packages libykpiv1 recommends: ii pcscd 1.8.23-3 libykpiv1 suggests no packages.
