> I arrived at the conclusion because I was expecting a mention of > CVE-2022-27404 and the change that fixed it. [...]
Thanks for the explanation. We usually don't mention CVEs in release
messages except someone explicitly tells us. In most cases CVEs are
made public much later than the fixes or Freetype releases;
additionally, we (the FreeType team) are not informed about CVEs at
all, and we simply don't have the human resources to do more tracking.
Werner
