Hi Salvatore, Am Sun, Mar 13, 2022 at 09:33:01PM +0100 schrieb Salvatore Bonaccorso: > > On Sun, Mar 13, 2022 at 10:24:16AM +0000, Debian Bug Tracking System wrote: > > > CVE-2017-2579, CVE-2017-2580 and CVE-2017-2581 before 10.61 thus > > > - Closes: #854978 > > > > The before 10.61 is just because of the CVE description right? Note we > > cannot rely on the CVE description, because they might reflect a > > specific writing up in time and other aspects. > > > > Do we have an upstream revision indicating that those issues are > > really fixed? > > For example, CVE-2017-2581 is probably > https://sourceforge.net/p/netpbm/code/2989/ ? (which would only be in > 10.78.05). So one really needs to be careful with description > information and verify if those are true. If following the SuSE triage > then *possibly* for two issues the fix is revision 2821 upstream, > while for CVE-2017-2581 it would be the above.
I admit I just trusted the description without checking the code in detail. If you think this is wrong I'm perfectly fine if you reopen the bug. > Thanks for looking into the update! It was obviously very long overdue and I did my best in the limited time span I was able to spent on this package. Kind regards Andreas. -- http://fam-tille.de