A local exploit has no "remote exploitation risk" by its very definition. Your statement just shows that you have no clue what you are talking about.
Except if combined with a remote vulnerability, perhaps in the web app running locally on the server, or your web browser running on your laptop.
“Its exploitation requires two non-default options: a ProxyCommand, and either ForwardAgent (-A) or ForwardX11 (-X),” Qualys said. “This buffer overflow is therefore unlikely to have any real-world impact.”
99.9% of all *nix servers on the planet with SSH on them do not use either option. Good that they patched it, but otherwise, I don't think I'm going to be in a massive hurry to do a crash-patching this weekend.
It's a client-side bug, and both agent and X11 forwarding are fairly common there.
Bugs were introduced (probably not on purpose) into GTK2 after GTK3 was released, and those bugs will never be fixed. For example I periodically get bug reports for one of my applications which I’ve traced down to GtkFileChooserButton and it’s a known issue noone will fix in GTK2.
Gtk2 is still maintained and as far as I know there are no immediate plans to stop that. We had a gtk2 release just last month which fixed eight bugs.
Huge parts of GTK2 have been deprecated, for example:
The horizontal/vertical Box layout scheme, which is how you were supposed to do all layouts in GTK2, and despite the deprecation warnings from the compiler there has been no alternative layout mechanism identified in the documentation.
The entire thread API, which is at the centre of any multi-threaded application. I don’t know if this was replaced with something else or dropped completely.
The GtkVBox/GtkHBox classes are deprecated but the documentation names several alternatives, the primary one being GtkGrid which combines the functionality of both classes.
I don't know what he means by the thread API. The GThread API is not going anywhere if that's what he mean.
The new library is clearly unfinished. For example the GtkAboutDialog is simply broken in the current version of GTK3.
Not sure what he means here. As far as I know it's used by several applications.
Serious bugs in GTK3 are ignored. For example I spent a day researching why they broke the scrollbars in GTK3, found that it was probably done accidentally (the new functionality doesn’t fit even their own designs), filed a bug, and five months later – still not so much as an acknowledgement that this is a problem.
I completely agree that this is a problem. The team developing and maintaining Gtk+ is understaffed and this is an unfortunate side affect.
It is easier to write an incorrect program than understand a correct one.