Thanks for your reply. I don’t have a way to test the vulnerability either. I’d trust Pavel’s assessment and call this done.
On Wed, Jun 7, 2017 at 7:10 AM, Salvatore Bonaccorso <car...@debian.org> wrote: > Hi Michael > > Looks it was good we had first the issue settle a bit with respect for > a jessie(-security) upload: > > On Thu, Jun 01, 2017 at 11:09:17PM +0200, Michael Stapelberg wrote: > > The original question of how to proceed still stands. I sent the patch in > > my previous message; do you want me to upload it, or do you want to > upload > > it? If I should do it, let me state for the record that I have no idea > what > > I’m doing (I never uploaded to anything but unstable/experimental). > > I learned of http://www.openwall.com/lists/oss-security/2017/06/06/5 . > Can you confirm, is this assessment correct (for us as well in > stable)? We have a 2.2.5 based version in jessie, and according to > upstream for the EOL versions only 2.1.1 through 2.1.7 are affected by > the problem. > > I do not have a way to test the vulnerability on my own. > > Regards, > Salvatore > -- Best regards, Michael
