Hi Afif, On Thu, May 16, 2019 at 12:59:55PM -0400, Afif Elghraoui wrote: > > > On May 15, 2019 5:13:24 PM EDT, Salvatore Bonaccorso <car...@debian.org> > wrote: > >Hi Afif, > > > >On Wed, May 15, 2019 at 10:57:49PM +0200, Salvatore Bonaccorso wrote: > >> Then there is nothing further to be done. > > > >Oh, actually there is an open point: Is it confirmed that 3.0.3 is not > >affected by the CVE? Did you got any information why this is only > >introduced in 3.1.0? > > > > Ok, I asked upstream and the answer is that the commit that > introduced the bug came after 3.0.3.
Thanks a lot for confirming! This post to oss-security confirms it: https://www.openwall.com/lists/oss-security/2019/05/16/1 The security-tracker now will mark as well the buster version then as not-affected. Thanks for your work! Regards, Salvatore
