Hi! On Tue, 2026-02-24 at 11:57:34 +0200, Ron Ben Yizhak wrote: > I’d like to ensure we follow the standard CVE process here. Standard > practice dictates that a CVE is issued per individual fix. Generally, once > a fix is merged and released, it is assigned its own CVE. Even if that fix > is later bypassed, the original merge stands as a unique event in the > codebase, meaning we should issue two separate CVEs rather than grouping > them.
Salvatore Bonaccorso from the Debian Security Team got a CVE assigned for this, see <https://www.cve.org/CVERecord?id=CVE-2026-28372>. I'll update the Debian packaging on the next upload to point to that. Thanks, Guillem
