Hi Adam, On Sat, Feb 04, 2023 at 06:28:28PM +0000, Adam D. Barratt wrote: > Control: tags -1 + confirmed > > On Wed, 2023-01-25 at 21:32 +0100, Salvatore Bonaccorso wrote: > > I would like to propose to update libxpm in bullseye as well fixing > > some no-dsa tagged CVEs by simply rebuilding the package which got > > uploaded to unstable (without other changes apart addressing issues): > > > > +libxpm (1:3.5.12-1.1~deb11u1) bullseye; urgency=medium > > + > > + * Non-maintainer upload. > > + * Rebuild for bullseye > > + > > + -- Salvatore Bonaccorso <[email protected]> Wed, 25 Jan 2023 > > 21:19:41 +0100 > > + > > +libxpm (1:3.5.12-1.1) unstable; urgency=medium > > + > > + * Non-maintainer upload. > > + * Fix CVE-2022-46285: Infinite loop on unclosed comments > > + * Fix CVE-2022-44617: Runaway loop with width of 0 and enormous > > height > > + * configure: add --disable-open-zfile instead of requiring > > -DNO_ZPIPE > > + * Fix CVE-2022-4883: compression commands depend on $PATH > > + * Prevent a double free in the error code path > > + * Use gzip -d instead of gunzip > > + * debian/rules: configure: Set explicitly runtime paths for > > {,un}compress > > + and gzip. > > > > Please go ahead.
Thank you, have done the upload. Regards, Salvatore
