On Fri, 2022-10-14 at 13:58 +0200, Timo Röhling wrote: > * Adam D. Barratt <a...@adam-barratt.org.uk> [2022-10-14 12:53]: > > On Fri, 2022-10-14 at 11:53 +0100, Adam D. Barratt wrote: > > > Control: tags -1 + confirmed > > > > > > On Sun, 2022-10-02 at 19:38 +0200, Timo Röhling wrote: > > > > The update fixes two vulnerabilities with low priority, i.e. > > > > the security team has decided not to issue a DSA. > > > > > > > > [ Impact ] > > > > CVE-2022-34300: Heap overflow in DecodePixelData > > > > CVE-2022-38529: Heap overflow in rleUncompress > > > > > > > > > > + * Fix low-priority vulnerabilities > > > > > > I'm not sure I'd use that wording in a changelog personally - > > > more > > > likely just "fix security issues" or "backport fixes" or similar > > > - > > > but > > > it's up to you. > > > > Hmmm. The debdiff you've uploaded is rather larger than I was > > expecting, or was proposed. > > > > That appears to be (which I should have spotted earlier) because > > stable > > has 1.0.0+dfsg-1 and your upload is based on 1.0.*1*+dfsg-1. > Is there something we can do about this? > Should I prepare a new upload with 1.0.1+really1.0.0, for instance?
There's a holding queue in front of proposed-updates, so the upload isn't in the archive yet. Assuming the diff would be similar to that initially proposed, you can simply prepare and upload 1.0.0+dfsg-1+deb11u1 and we can sort things out from there. Regards, Adam
