From $URL :
Common Vulnerabilities and Exposures assigned an identifier CVE-2012-5129 to the following
Heap-based buffer overflow in the WebGL subsystem in Google Chrome OS before 23.0.1271.94 allows
remote attackers to cause a denial of service (GPU process crash) or possibly have unspecified
other impact via unknown vectors.
Fixed since 9.0.3/9.1. Do we want to stable 9.0.3, or just cleanup?
mesa-9.0.3 is affected by CVE-2013-1993, so there is little point in stabilizing that.
If/when upstream releases 9.0.4 with that fixed we will consider for stabilization.
Well, we still have vulnerable stuff in tree. I don't suppose we can remove 9.0.*?
CVE-2013-1993 is fixed in upstream's 9.0 branch, but no release was made from that branch since then. As some users still depend on old mesa, p.masking affected versions is probably better.
Vulnerable versions no longer in tree
No stabilization as per comments, 9.1.6 is stable.
Added to existing GLSA draft.
Maintainer(s), Thank you for your work!
Vulnerable versions have been p.masked.
This issue was resolved and addressed in
GLSA 201404-06 at http://security.gentoo.org/glsa/glsa-201404-06.xml
by GLSA coordinator Mikle Kolyada (Zlogene).