Hi Andres, On Wed, Feb 01, 2023 at 03:47:03AM -0500, Andres Salomon wrote: > Hi Security Team & Jeremy, > > I had originally planned to ask the release team about fixing #1029845 (the > bug below) in bullseye via t-p-u. However, it would appear that there's also > an outstanding security bug in harfbuzz (CVE-2022-33068, tracked at > #1013673). So instead, maybe it's better if we group the font removal and > the security fix together and upload something like what I've attached (a > debdiff against 2.7.4-1) to bullseye-security. What do folks think?
Note that CVE-2022-33068 is no-dsa, so the security fix can just be batched in in the bullseye-pu update and fixed in the next point release. Regards, Salvatore