Relevance of some old CVEs? 2017-06-09 03:30:25 I picked up this chat transcript from an anonymous IRC user on the #vorbis channel:Quotehi. the current release of vorbis-tools (1.4.0) contains several (potential?) security issues (CVE-2014-9638, CVE-2014-9639, CVE-2015-6749) and at least one segfault bugfor the first three, downstream patches seem to exist (e.g. link and link)i do not know why these were not upstreamed, i.e. are not contained in xiph-tools.git (at least i didn't find the fixes there)the segfault bug is fixed in git masterso... could you *please* check and add the known fixes and afterwards create a proper release? according to CHANGES, the last one is from 2010-03-25 ...(yes, i know that opus is the fancy new stuff, but this does not mean that vorbis.* should rot away silently)tickets:https://trac.xiph.org/ticket/2009https://trac.xiph.org/ticket/2137https://trac.xiph.org/ticket/2136(note that there might be additional interesting fixes e.g. in the patches directory linked above - i did not check if these were upstreamed. the cves certainly should have higher priority though.)They're all old bugs, but this user seemed to think they were still relevant in some fashion.