Hello Werner, Thank you for the insight about the "..." and tags.
I arrived at the conclusion because I was expecting a mention of CVE-2022-27404 and the change that fixed it. But it wasn't there. Looking at the docs/CHANGES, there was a mention of a CVE-2018-25032, which made me think that mitigate CVE's were ones that were mention. So if the CVE wasn't there, it hasn't been mitigated yet. Since CVE-2022-27404 wasn't listed, I assumed the worst that the fix hadn't been pulled into the release for a reason unknown to me. So I had to asked to get clarification. With the insight you provided with the version tagging, it provided clarity and disproved my assumption that fix wasn't in version 2.12.1 when in reality it was. Hope that helps and thanks again! Regards, Aaron -----Original Message----- From: Werner LEMBERG <w...@gnu.org> Sent: Wednesday, June 29, 2022 9:22 PM To: Arenas, Aaron <aaron.are...@intel.com> Cc: freetype@nongnu.org Subject: Re: [URGENT] Confirmation of Fixes for CVE's in 2.12.1 > Can you confirm which or if all the following fixes/patches/commits > that resolve issues and CVE's below are incorporate into latest > available version, 2.12.1? [...] They are, because... > I see that version 2.12.1 was release 1 month ago [...] and that > these fixes were committed 3 months ago. ... exactly of that. We don't maintain any other branch except 'master'. > I would have expected the fixes to be incorporated. But it's unclear > based results of code scan and changelog. How did you come to this 'unclearl' conclusion? If you follow the links to the gitlab instance, just press the '...' button next to 'master', and you can immediately see the affected version tags. Werner