Hi Thanks for raising this problem.
On Wed, May 05, 2021 at 10:12:34PM +0200, Andreas Beckmann wrote: > Source: mqtt-client > Version: 1.14-1 > Severity: serious > Tags: security > User: debian...@lists.debian.org > Usertags: piuparts > Control: fixed -1 1.14-1+deb9u1 > > Hi, > > CVE-2019-0222 is fixed in stretch-security but not buster, making > upgrades difficult since stretch-security has a newer version than > buster. > Please upload the fix to buster, too. > > mqtt-client | 1.14-1 | stretch | source > mqtt-client | 1.14-1 | buster | source > mqtt-client | 1.14-1+deb9u1 | stretch-security | source > mqtt-client | 1.16-1 | bullseye | source > mqtt-client | 1.16-1 | sid | source FWIW, the issue will not warrant a DSA, so a fix for it for buster should go via an upcoming point release. Regards, Salvatore
