Hi Andreas, On Sun, Mar 13, 2022 at 09:07:20PM +0100, Salvatore Bonaccorso wrote: > Hi Andreas, > > On Sun, Mar 13, 2022 at 10:24:16AM +0000, Debian Bug Tracking System wrote: > > netpbm-free (2:10.97.00-1) unstable; urgency=medium > > . > > * Team upload. > > * New upstream version > > - Closes: #977007, #386388, #847241 > > CVE-2017-2579, CVE-2017-2580 and CVE-2017-2581 before 10.61 thus > > - Closes: #854978 > > The before 10.61 is just because of the CVE description right? Note we > cannot rely on the CVE description, because they might reflect a > specific writing up in time and other aspects. > > Do we have an upstream revision indicating that those issues are > really fixed?
For example, CVE-2017-2581 is probably https://sourceforge.net/p/netpbm/code/2989/ ? (which would only be in 10.78.05). So one really needs to be careful with description information and verify if those are true. If following the SuSE triage then *possibly* for two issues the fix is revision 2821 upstream, while for CVE-2017-2581 it would be the above. Thanks for looking into the update! Regards, Salvatore -- Pkg-phototools-devel mailing list [email protected] https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-phototools-devel
