B0;115;0cOn Thu, Apr 21, 2016 at 06:58:18AM +0200, Salvatore Bonaccorso wrote: > Hi, > > On Wed, Apr 20, 2016 at 11:01:29PM +0200, Sebastian Andrzej Siewior wrote: > > On 2015-03-15 06:42:08 [+0100], Salvatore Bonaccorso wrote: > > > On Tue, Feb 17, 2015 at 10:07:06AM +0000, Patrick Coleman wrote: > > > > * Remote null pointer dereference > > > > A remote user can cause a null pointer dereference by sending a > > > > malformed Authorization: header. > > > > http://patrick.ld.net.au/libcsoap/nanohttp-nullp-1.patch > > > > > > For this issue CVE-2015-2297 was assigned. > > > > What do we do here? That bug is open for slightly over a year with a > > security tag and zero activity. We had two patches here which do now > > 404. popcon goes down and it could have something todo with not beeing > > part of stable. The current binary depends on libssl1.0.0 which has no > > source, a binNMU would fix it (just tried, that is why I stumbled over > > it). > > So we fix this? Do we remove it? In case we want to fix, has someone a > > copy of the two patches? > > Given the package looks unmaintained (last update by maintainer back > in 20 Jun 2010, I think it is the best option to remove the package as > well from unstable). It is already gone in testing, so will not be > included in stretch and neither was in jessie.
Ack, let's remove this. Cheers, Moritz