On Mon Feb 08 12:30:50 2016, dmossor(a)fedoraproject.org wrote:
Greetings,
I was made aware of CVE-2016-1521 this past weekend, and can find no
reference to this CVE in Red Hat Bugzilla, nor has there been a Red
Hat
Security Bulletin regarding this.
I consider this CVE to be critical as it requires zero action on the
part of the user. It can be spread through malvertising, or a minor
hack
to a website that calls a 3rd party CSS file.
The Graphite developers released an update in January, but have not
specifically addressed this CVE. Can you provide a statement stating
whether it has been fixed or not?
References:
http://www.talosintel.com/reports/TALOS-2016-0058/
http://news.softpedia.com/news/vulnerability-in-font-processing-
library-affects-linux-openoffice-firefox-500027.shtml
Regards,
Dan Mossor
Hello Dan,
Thank you for bringing this to our attention. We'll analyze it as soon as
possible.
Best Regards,
--
Adam Mariš / Red Hat Product Security