On May 18, 2021 8:42 pm, Moritz Muehlenhoff wrote: > Source: rust-hyper > Severity: grave > Tags: security > X-Debbugs-Cc: Debian Security Team <t...@security.debian.org> > > CVE-2021-21299: > https://github.com/hyperium/hyper/security/advisories/GHSA-6hfq-h8hq-87mf > https://rustsec.org/advisories/RUSTSEC-2021-0020.html
FWIW, (rust-hyper) doesn't have any rdeps in bullseye AFAICT[1], so it could either be ignored there or removed from bullseye without consequences. for bullseye+1, I plan on updating it as soon as sid is unfrozen again, but the dependency chain needed for that update is quite big so it might take a bit to pass through NEW etc (which was also the reason why it didn't get updated in time pre-freeze). there are no affected rdeps in unstable either though, as they are all using hyper as client, not server. 1: dev/list-rdeps.sh from debcargo-conf agrees