On Sat, Jan 09, 2016 at 07:45:43PM -0000, Andre Robatino wrote:
I think you're looking at the wrong time period.
libpng-1.6.19-1.fc23
went to stable on 2015-11-23 (see
https://bodhi.fedoraproject.org/updates/FEDORA-2015-9199a1bfe1 ). At
this time, 1.6.17-3 had already been pushed to testing and was just
sitting there. Then it was submitted for stable on 2016-01-06 and went
to stable on 2016-01-07 (see
https://bodhi.fedoraproject.org/updates/FEDORA-2015-4ad4998d00 ),
downgrading the newer version.
To make things even more exciting in a changelog on koji one can find
these:
....
* Wed Nov 18 2015 Petr Hracek <phracek(a)redhat.com> - 2:1.6.17-4
- Security fix for CVE-2015-8126 (#1281757, #1281756). Proper patch
* Wed Nov 18 2015 Petr Hracek <phracek(a)redhat.com> - 2:1.6.17-3
- Security fix for CVE-2015-8126 (#1281757, #1281756).
....
On a face value of this an "unproper" fix went to bodhi. If the current
libpng-1.6.19 required any fixes at all it is not clear.
Michal