[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#1021130: bullseye-pu: package tinyexr/1.0.1+dfsg-1+deb11u1

On Fri, 2022-10-14 at 11:53 +0100, Adam D. Barratt wrote:
> Control: tags -1 + confirmed
> 
> On Sun, 2022-10-02 at 19:38 +0200, Timo Röhling wrote:
> > The update fixes two vulnerabilities with low priority, i.e.
> > the security team has decided not to issue a DSA.
> > 
> > [ Impact ]
> > CVE-2022-34300: Heap overflow in DecodePixelData
> > CVE-2022-38529: Heap overflow in rleUncompress
> > 
> 
> +  * Fix low-priority vulnerabilities
> 
> I'm not sure I'd use that wording in a changelog personally - more
> likely just "fix security issues" or "backport fixes" or similar -
> but
> it's up to you.

Hmmm. The debdiff you've uploaded is rather larger than I was
expecting, or was proposed.

That appears to be (which I should have spotted earlier) because stable
has 1.0.0+dfsg-1 and your upload is based on 1.0.*1*+dfsg-1.

Regards,

Adam
Reply to: