Sorry. I didn't understood your answer (my english is not my mother language).
You are speaking about "unstable".
I am speaking about pushing a CVE fix into stable 3.5.5. This fix is part of a patch that include other fix and this patch is called 3.5.7.
My question is can I push fix1 + fix2 + fix3 with "1 push, called 3.5.7" even if only fix1 was declared on debian.
My understood is that unstable has a different cycle than stable and is dedicated for next debian stable. So version that will be pushed into "unstable" will be 3.8 (a major release that will include upstream with fix found into maintenance official project release of 3.5.* branch, 3.6.* branch, 3.7.* branch + new features, so including the CVE included in 3.5.7 and not yet pushed to debian becuse debian is 3.5.5)
Do you mean
* i need first to update upstream of "unstable" with 3.8 (so it will include the CVE fix) to be ok to fix stable with the maintenances fixes of 3.5.7
or
* i can't push 3.5.7 into stable even if it contains only CVE or stability fix compared to 3.5.5, and I must prepare a 3.5.5bis that will include only the CVE reported to debian and not other discovered and fixed into 3.5.7 official projet ?