[Removing Sylvain Beucler from the list, the email bounces]
On 2/1/26 17:19, Tobias Frost wrote:
The bookworm update should target at least CVE-2022-48174, CVE-2023-42364, CVE-2023-42365 - those are the "gap" between bullseye and bookworm.
Ok, this makes sense.
It won't hurt to fix CVE-2023-42363, too, as this one is already fixed in trixie and newer.
This makes sense too.
So I will primarly target the above. CVE-2023-39810 would be nice too, but that will trigger an need to update trixie as well. It's triaged as non-dsa by the security team, so this would become an stable-proposed-update. (Let me know your thoughts about this one.)
Aha, this one is fixed after trixie has been released. We can back-port the fix to a trixie version.
For what I can see (it seems that upstream bug tracker is restricting access), the 4 open CVEs in sid/testing doesn't have a resolution yet. Do you by chance have an upstream contact to ask about them?
From what I see, upstream bug tracking system is broken for a few years and no one bothered to fix it - it is not restricting access but is unable to process requests due to errors in sql queries. No, I've no other contact besides Denis's email and the mailing list. There are numerous, multiple mentions in there about non-working bugzilla. I've added fixes for other CVEs too. There are a few other changes around as well, but let's not do too much :) Thanks, /mjt
