[candiddevmike]

The risk you take when you use a distribution that modifies upstream. Debian has had similar issues in the past (maybe not CVEs, but certainly packager-created bugs).

[2OEH8eoCRo0]

It's risks all the way down. There are risks to not patching upstream as well.

[klysm]

Debian has a fairly famous one: CVE-2008-0166

[meowface]

Ouch, that one's bad: https://github.com/g0tmi1k/debian-ssh#the-bug

>These lines were removed because they caused the Valgrind and Purify tools to produce warnings about the use of uninitialized data in any code that was linked to OpenSSL. Removing this code has the side effect of crippling the seeding process for the OpenSSL PRNG. Instead of mixing in random data for the initial seed, the only "random" value that was used was the current process ID. On the Linux platform, the default maximum process ID is 32,768, resulting in a very small number of seed values being used for all PRNG operations.

[rlpb]

In that particular case upstream _was_ consulted and had acked the patch.

[immibis]

Upstream was consulted for a similar change in another location, where the code was actually unnecessary.