Bug#933860: pango1.0: CVE-2019-1010238

Simon McVittie smcv at debian.org
Sun Aug 4 17:48:38 BST 2019


On Sun, 04 Aug 2019 at 17:27:34 +0100, Simon McVittie wrote:
> On Sun, 04 Aug 2019 at 15:53:28 +0200, Salvatore Bonaccorso wrote:
> > Please adjust the affected versions in the BTS as needed.
> 
> I'll check the upstream reproducer against stretch (and jessie for the
> LTS people's benefit) soon.

The reproducer provided on the embargoed upstream bug would seem to
indicate that stretch and jessie are not affected.

Ubuntu 18.04 'xenial' is also shipping pango1.0 1.40.x (although a
later release than the one in stretch), and Ubuntu have not patched that
version for this CVE.

    smcv



More information about the pkg-gnome-maintainers mailing list