* Moritz Muehlenhoff <j...@debian.org> [2017-08-06 10:41]: > CVE-2017-12481 was assigned to http://bugs.ledger-cli.org/show_bug.cgi?id=1222 > and CVE-2017-12482 was assigned to > http://bugs.ledger-cli.org/show_bug.cgi?id=1224
Both are fixed upstream now. CVE-2017-12481 https://github.com/ledger/ledger/commit/c5343f18744d0f6fddcc590f9a54c23674d8c489 CVE-2017-12481 https://github.com/ledger/ledger/commit/7c0ae5b02571e21f97d45f5d091cb78af9885713 > CVE-2017-12482 is probably entirely mitigated by the hardening build options > and > it general is feels somewhat silly to assign CVE IDs for such crashes... Yeah, not sure if the security team/Debian maintainer want to publish a security update for this. But all 4 CVEs are fixed upstream now. -- Martin Michlmayr https://www.cyrius.com/