For CVE-2019-11494, three patches were provided by the vendor: https://seclists.org/oss-sec/2019/q2/82
In Ubuntu we included the three patches, but in updating our merge with Debian I notice you included only the latter two. Is this because the first one suppresses a warning, and is considered non-critical? Thank you, Bryce