On Thu, 2023-09-14 at 08:31 +0200, Sebastian Andrzej Siewior wrote: > On 2023-09-14 06:31:26 [+0100], Adam D. Barratt wrote: > > On Wed, 2023-09-13 at 22:01 +0200, Sebastian Andrzej Siewior wrote: > > > On 2023-09-13 17:26:46 [+0100], Adam D. Barratt wrote: > > > > How does this sound for an SUA? > > [...] > > > This sounds entirely fine to me. I don't think that it is needed > > > to > > > point out that bullseye is not affected by the second issue. > > > > > > > Great, thanks. > > > > > There is also this thing regarding libclamunrar and the update to > > > v6.2.10 of the bundled libbrary. I *think* it is related to > > > CVE-2023-40477. Since unrar itself is only in -pu I think it is > > > okay > > > for libclamunar to follow the same fate. > > > > > > > Just to be completely sure, "follow the same fate" here means > > leaving > > libclamunrar in (o-)p-u until the point releases? > > I mean there is no reason to push libclamunrar via d/updates if the > unrar package isn't. Therefore I don't mind keeping libclamunrar in > o-)p-u until the point release. It is non-free after all.
Great, we agree. :) I'll try and get this sorted this evening, worst case it should be tomorrow. Regards, Adam