On Thu, 2025-08-28 at 18:25 +0100, Adam D. Barratt wrote: > Mentioning 2.4.64 is fine. However, this package *also* includes > changes from 2.4.65, which is not mentioned. It also claims that the > CVE fix that was the reason for 2.4.65 being released was already > part of 2.4.64. > > So eg. > > + * New upstream version 2.4.64 > + (Closes: CVE-2025-23048, CVE-2024-42516, CVE-2024-43204, CVE- > 2024-43394, > + CVE-2024-47252, CVE-2025-49630, CVE-2025-49812, CVE-2025-53020) > + * New upstream version 2.4.65 > + (Closes: CVE-2025-54090) > > would seem more accurate.
I've marked the existing upload for rejection. Once that happens, please feel free to re-upload with a changelog that's more clearly divided between the changes in 2.4.64 and .65, e.g. as above. Regards, Adam
