From ${URL} : In 2011 the problem with alloca() was not defined as a vulnerability. http://sourceware.org/bugzilla/show_bug.cgi?id=12671 @maintainer(s): after the bump, in case we need to stabilize the package, please say explicitly if it is ready for the stabilization or not.
I don't understand. Where exactly is the problem ? As far as I can see there is no exploitable bug on Linux (i.e., I have also no crashes with the examples provided in the glibc bug report).
As far as I can tell, upstream said that this isn't a vuln. I'm not sure what to do with this. @security: thoughts?