* Adam D. Barratt <adam@adam-barratt.org.uk> [2022-10-14 12:53]:
On Fri, 2022-10-14 at 11:53 +0100, Adam D. Barratt wrote:Control: tags -1 + confirmed On Sun, 2022-10-02 at 19:38 +0200, Timo Röhling wrote: > The update fixes two vulnerabilities with low priority, i.e. > the security team has decided not to issue a DSA. > > [ Impact ] > CVE-2022-34300: Heap overflow in DecodePixelData > CVE-2022-38529: Heap overflow in rleUncompress > + * Fix low-priority vulnerabilities I'm not sure I'd use that wording in a changelog personally - more likely just "fix security issues" or "backport fixes" or similar - but it's up to you.Hmmm. The debdiff you've uploaded is rather larger than I was expecting, or was proposed. That appears to be (which I should have spotted earlier) because stable has 1.0.0+dfsg-1 and your upload is based on 1.0.*1*+dfsg-1.
Is there something we can do about this? Should I prepare a new upload with 1.0.1+really1.0.0, for instance? Cheers Timo -- ⢀⣴⠾⠻⢶⣦⠀ ╭────────────────────────────────────────────────────╮ ⣾⠁⢠⠒⠀⣿⡁ │ Timo Röhling │ ⢿⡄⠘⠷⠚⠋⠀ │ 9B03 EBB9 8300 DF97 C2B1 23BF CC8C 6BDD 1403 F4CA │ ⠈⠳⣄⠀⠀⠀⠀ ╰────────────────────────────────────────────────────╯
Attachment:
signature.asc
Description: PGP signature