openSUSE has issued an advisory on October 21:
Mageia 5 and Mageia 6 are also affected.
Assigning to the registered maintainer.
It looks like suse has a typo in one of their patch CVE numbers. The patch which claims to cover CVE-2017-1486 actually covers 1486. There is a ticket on CVE-2017-14865 (and five others) still open upstream. But I found a more comprehensive patch set upstream anyway.
https://github.com/Exiv2/exiv2/pull/120 backports fixes for 15 CVE's to 0.26 (CVE-2017-11337, CVE-2017-11338, CVE-2017-11339, CVE-2017-11340, CVE-2017-11553, CVE-2017-11591, CVE-2017-11592, CVE-2017-11683, CVE-2017-12955, CVE-2017-12956, CVE-2017-12957, CVE-2017-14859, CVE-2017-14860, CVE-2017-14862, CVE-2017-14864) and some research found that the same patch fixed CVE-2017-11336 and CVE-2017-14857 also.
Patched package uploaded for cauldron. Mageia 6 will be forthcoming as will Mageia 5 if the patch applies.
Bug 21158 fixes all the CVEs cited above except 14869 (perhaps it does).
Can this bug be closed in consequence?
(In reply to Lewis Smith from comment #3)
> Bug 21158 fixes all the CVEs cited above except 14869 (perhaps it does).
> Can this bug be closed in consequence?
Once the update for Bug 21158 is pushed.