On Wed, 2023-09-13 at 22:01 +0200, Sebastian Andrzej Siewior wrote: > On 2023-09-13 17:26:46 [+0100], Adam D. Barratt wrote: > > How does this sound for an SUA? [...] > This sounds entirely fine to me. I don't think that it is needed to > point out that bullseye is not affected by the second issue. >
Great, thanks. > There is also this thing regarding libclamunrar and the update to > v6.2.10 of the bundled libbrary. I *think* it is related to > CVE-2023-40477. Since unrar itself is only in -pu I think it is okay > for libclamunar to follow the same fate. > Just to be completely sure, "follow the same fate" here means leaving libclamunrar in (o-)p-u until the point releases? I assume the bundled library isn't used as-is in the Debian packaging, that being why libclamunrar exists. Regards, Adam
