Bug#1021130: bullseye-pu: package tinyexr/1.0.1+dfsg-1+deb11u1
On Fri, 2022-10-14 at 11:53 +0100, Adam D. Barratt wrote:
> Control: tags -1 + confirmed
>
> On Sun, 2022-10-02 at 19:38 +0200, Timo Röhling wrote:
> > The update fixes two vulnerabilities with low priority, i.e.
> > the security team has decided not to issue a DSA.
> >
> > [ Impact ]
> > CVE-2022-34300: Heap overflow in DecodePixelData
> > CVE-2022-38529: Heap overflow in rleUncompress
> >
>
> + * Fix low-priority vulnerabilities
>
> I'm not sure I'd use that wording in a changelog personally - more
> likely just "fix security issues" or "backport fixes" or similar -
> but
> it's up to you.
Hmmm. The debdiff you've uploaded is rather larger than I was
expecting, or was proposed.
That appears to be (which I should have spotted earlier) because stable
has 1.0.0+dfsg-1 and your upload is based on 1.0.*1*+dfsg-1.
Regards,
Adam
Reply to: