Ludovic Courtès writes: > Hello, > > Marius Bakke skribis: > >> These issues has been classified as minor by Debian: >> >> https://security-tracker.debian.org/tracker/CVE-2017-15670 >> https://security-tracker.debian.org/tracker/CVE-2017-15671 >> >> ...and is not worth the cost of grafting and maintaining this patch. > > I don’t see Debian’s classification as “minor”, but I see NVD severity > “high” and “medium” (I personally fail to imagine concrete remote > exploitation scenarios, but I largely lack the mental muscles for this.) At the bottom of the page is the status for the stable releases, which didn't get a DSA due to being a minor issue. The recent update of glibc on core-updates included a fix for a similar problem: https://security-tracker.debian.org/tracker/CVE-2017-15671 I suppose we can graft that too, but would prefer to just drop them. We get the fixes when we merge core-updates in a few weeks anyway.