Hello, every once in a while I have a look at sox, which has many CVEs open and no updates since 3 months, wondering what could be done about it. It seems that all the CVEs have reproducers but not patches. Should I try to work on patches for some of them? I don't mind doing it but it may be nontrivial work, as it may require reading up on the specific audio formats involved. Otherwise, should the issues that have been without patches for months now be tagged with no-dsa for the time being, as most of them are for buster and bullseye? Alternatively, is it worth reaching out to those who have sox installed to figure out what they are using it for, and reassess those vulnerabilities based on the kind of exposure that sox is actually having? Enrico -- GPG key: 4096R/634F4BD1E7AD5568 2009-05-08 Enrico Zini <enrico@enricozini.org>
Attachment:
signature.asc
Description: PGP signature