Hello Security Team,
I'm considering fixing the 8 new 7zip CVEs in p7zip/bookworm.
https://security-tracker.debian.org/tracker/source-package/p7zip
For 7zip (not p7zip), YOKOTA Hiroshi prepared SPU & OSPU, bumping from
25.01 to 26.01:
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1138185
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1138181
(only references 1 CVE but this also fixes the 7 others.)
I can prepare a similar OSPU for p7zip.
No need for a SPU as p7zip/trixie is transitional.
As the CVEs are not triaged yet (not marked no-dsa), I'm checking first
if you have plans to handle this e.g. through a DSA.
Cheers!
Sylvain Beucler
Debian LTS Team