(resending as I lost the CC on the first reply) On 13/05/2025 13:55, Adrian Bunk wrote:
On Tue, May 13, 2025 at 01:02:30PM +0200, Lee Garrett wrote:... I also prepared an update for Thunderbird fixing the following issues: - CVE-2025-2817 - CVE-2025-4082 - CVE-2025-4083 - CVE-2025-4087 - CVE-2025-4091 - CVE-2025-4093 - CVE-2025-3523 - CVE-2025-3522 - CVE-2025-2830 ...I am bit confused regarding what you have done last month. What is the DLA number of your update? Where in git are your changes?
I had claimed thunderbird in dla-needed on April 22 [0]. I talked to jmm and agreed to upload it after it has been fixed in stable and above. However Christoph prepared an update independently and uploaded it on April 30 [1].
DLA-4167-1 should reach debian-lts-announce@ soon, which also contains the correct CVE list.
Regards, Lee Garrett, Debian LTS Teamcu Adrian
[0] https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/db02e9f273f45f3e2dccaea8de16934852777bf4 [1] https://tracker.debian.org/news/1642678/accepted-thunderbird-1128100esr-1deb11u1-source-into-oldstable-security/