Hi Benjamin,
thanks for trying to contribute. A severity of grave seems a bit
exaggerated for issues with only a medium CVSS score.
On Sat, 4 Apr 2026, Benjamin Leon Dubos wrote:
I have backported and verified the fixes for CVE-2026-34980 and CVE-2026-34990
in CUPS 2.4.16.
Anyway, the entries for each CUPS CVE in the Debian security tracker
contain the upstream commits to fix these issues. Your suggested patch
does not bear any resemblance to them. How were you able to verify that
your patch really fixes the issues?
Is there a reason why you ignored the other three CVEs?
The attached patch is in the standard debian/patches format.
I would like to object here. Other debian/patches acknowledge the author
of the original work.
I am closing this bug again.
Thorsten
