http://www.openwall.com/lists/oss-security/2016/02/08/1 Also see: http://xdelta.org/ "3.0.11 is a bug-fix release addressing a performance bug and several crashes in the decoder (discovered by afl-fuzz)." It looks like this has moved to github as well.
A commit references this bug: Author: danilo Date: Mon Feb 15 23:49:12 UTC 2016 New revision: 408964 URL: https://svnweb.freebsd.org/changeset/ports/408964 Log: - Update to 3.0.11 - Address CVE-2014-9765 PR: 207174 Submitted by: junovitch MFH: 2016Q1 Changes: head/misc/xdelta3/Makefile head/misc/xdelta3/distinfo head/misc/xdelta3/files/patch-testing-regtest.cc.patch head/misc/xdelta3/files/patch-testing_regtest.cc
A commit references this bug: Author: junovitch Date: Tue Feb 16 01:00:26 UTC 2016 New revision: 408967 URL: https://svnweb.freebsd.org/changeset/ports/408967 Log: Document xdelta3 buffer overflow vulnerability PR: 207174 Security: CVE-2014-9765 Security: https://vuxml.FreeBSD.org/freebsd/f1bf28c5-d447-11e5-b2bd-002590263bf5.html Changes: head/security/vuxml/vuln.xml
A commit references this bug: Author: danilo Date: Tue Feb 16 23:53:10 UTC 2016 New revision: 409025 URL: https://svnweb.freebsd.org/changeset/ports/409025 Log: MFH: r408964 - Update to 3.0.11 - Address CVE-2014-9765 PR: 207174 Submitted by: junovitch Approved by: ports-secteam (miwi) Changes: _U branches/2016Q1/ branches/2016Q1/misc/xdelta3/Makefile branches/2016Q1/misc/xdelta3/distinfo branches/2016Q1/misc/xdelta3/files/patch-testing-regtest.cc.patch branches/2016Q1/misc/xdelta3/files/patch-testing_regtest.cc
Catch bugzilla up with commits and close PR.