Hi Jonathan, On Sat, Sep 23, 2017 at 06:24:49PM +0100, Jonathan Wiltshire wrote: > Control: tag -1 confirmed > > On Fri, Aug 18, 2017 at 11:35:09AM +0200, Mattias Ellert wrote: > > fre 2017-08-18 klockan 08:46 +0100 skrev Adam D. Barratt: > > > On 2017-08-18 8:01, Mattias Ellert wrote: > > > > tor 2017-08-17 klockan 21:59 +0100 skrev Adam D. Barratt: > > > > > On Thu, 2017-08-17 at 20:22 +0200, Martin Zobel-Helas wrote: > > > > > > Hi, > > > > > > > > > > > > On Thu Aug 17, 2017 at 16:38:36 +0200, Mattias Ellert wrote: > > > > > > > > > > [...] > > > > > > > +gsoap (2.8.35-4+deb9u1) stretch; urgency=medium > > > > > > > + > > > > > > > + * Fix for CVE-2017-9765 (Closes: xxxx) > > > > > > [...] > > > > > Is there actually a Debian bug for the issue? I couldn't find one. > > I've been trying to unpick exactly whether this issue is fixed in unstable > or not. I can only assume so since the security tracker claims it so > (https://security-tracker.debian.org/tracker/CVE-2017-9765) but your > changelog for 2.8.49-1 doesn't mention the CVE. I presume the CVE wasn't > yet public before you fixed it?
Yes, the issue was fixed upstream in 2.8.48, cf. https://www.genivia.com/changelog.html#Version_2.8.48_upd_(06/21/2017). The CVE is not mentioned in upstream changelog, and presumably was as well only assigned later. Regards, Salvatore
