Hi Cyril, On Tue, May 13, 2025 at 08:38:00PM +0200, Cyril Brulebois wrote: > Hi Salvatore, > > Debian FTP Masters <[email protected]> (2025-05-07): > > Closes: 1081338 > > Changes: > > xorg-server (2:21.1.16-1.1) unstable; urgency=medium > > . > > * Non-maintainer upload. > > * dix: Hold input lock for AttachDevice() (CVE-2022-49737) > > (Closes: #1081338) > > This upload is 5/10 days old and could get caught in the d-i freeze (I'd > hope not, but better safe than sorry etc.). > > My first instinct was to have it migrate early (~ now) but I thought I'd > check with you and the X team before doing so.
It really can go both ways, what is easier for you. I think its safe to have it migrated earlier than the 10 days (the fix is isolated and was "longstanding". If it's problematic for d-i release then it can safely wait as well until d-i release is done. Datapoint: The reporter in Debian in #1081338 verified the fix (in bookworm, on top of back then in 2:21.1.7-3+deb12u7). So from my pov, do not worry. Does this help? Thanks a lot for your work! Regards, Salvatore
