The last release of libidn, 1.33, fixed this bugs: https://security-tracker.debian.org/tracker/CVE-2015-8948 https://security-tracker.debian.org/tracker/CVE-2016-6261 https://security-tracker.debian.org/tracker/CVE-2016-6263 We already have libidn 1.33 on core-updates. Quoted from the release announcment [0]: ** libidn: Fix out-of-bounds stack read in idna_to_ascii_4i. See tests/tst_toascii64oob.c for regression check (and the comment in it how to use it). Reported by Hanno Böck
. ** idn: Solve out-of-bounds-read when reading one zero byte as input. Also replaced fgets with getline. Reported by Hanno Böck . ** libidn: stringprep_utf8_nfkc_normalize reject invalid UTF-8. It was always documented to only accept UTF-8 data, but now it doesn't crash when presented with such data. Reported by Hanno Böck. ** Dropped valgrind suppressions file, should no longer be needed. ** API and ABI is backwards compatible with the previous version. [0] https://lists.gnu.org/archive/html/help-libidn/2016-07/msg00009.html