[landave]

That's right, they patched CVE-2017-17969, which affected ZIP decompression. Interestingly, I believe they didn't patch CVE-2018-5996 (affecting RAR), which I published [0] on January 23 together with CVE-2017-17969.

[0]: https://landave.io/2018/01/7-zip-multiple-memory-corruptions...

[carey]

The Debian security team doesn’t patch packages from the non-free repository, like the 7-Zip RAR support:

https://www.debian.org/security/faq#contrib

That would have to wait for the maintainer to upload a new version and get it into a stable release.