Hi, On Sun, Dec 01, 2024 at 10:14:16PM +0100, Lee Garrett wrote: > Hi, > > these three CVEs are now fixed in buster and bullseye. This means users who > upgrade to bookworm will be vulnerable to those issues again. Can we get a > decision from the release team on this bug? Is there any information missing > to make a decision?
What is the status on this? Lee, I have not looked at all the changes between the current bookworm version and trixie, but you might need to bake-out changes not suitable for bookworm. The alternative is actually to otherwise do a new upstream version import on top of the current packaging. Looking in particular on the 2.90-1 changelog there might be much packaging overhaul as well. Hope that helps. I think it will now be too late for 12.9 in a few days but ideally those CVE fixes are landing for 12.10. Regards, Salvatore
