On 2025-05-05 18:37:00 +0200, Sebastian Humenda wrote: > Package: release.debian.org > Severity: important > X-Debbugs-Cc: pkg-a11y-de...@alioth-lists.debian.net > > Hi > > QuickJS has two CVEs, see > https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1104255 . > Upstream has fixed the CVEs in a new version that at the same time makes an > API-incompatible change. Backporting the CVEs can be riskier packaging the new > upstream version. The currently only downstream users of QuickJS is Edgbrowse > which statically links to QuickJS and is also affected by the API change. > > In an attempt to close the CVEs, I've uploaded the latest QuickJs 2025.04.26 > and would now need to upload the already packaged Edbrowse (see SALSA). I > suppose this is against the release plan/policy, hence I'm raising it here.
So I suppose that caused #1104835, right? Could you please fix the state in unstable and then file unblock bugs for both. Cheers > > As I said, I believe it will be easier for Trixie to get the latest versions > into Debian, as this will decrease the maintenance burden, especially in the > case of future CVEs. > Thanks -- Sebastian Ramacher
