There is the RUSTSEC-2025-0051 advisory for rust-xcb:
I feel calling this a "security" issue is a stretch.
https://rustsec.org/advisories/RUSTSEC-2025-0051.html | xcb::Connection::connect_to_fd* functions violate I/O safety
The so-called "fixed version" doesn't seem to actually "fix" anything, it just marks some functions as deprecated and adds some new functions. The existing problematic functions remain present, they are just deprecated (which will trigger a compiler warning, but who reads those). There seem to be two reverse dependencies of rust-xcb in Debian, a quick look on Debian code search suggests that neither uses the problematic functions. I'll upload the new version anyway.
