[From nobody Sun Apr 26 15:49:08 2026
Received: (at 1128418-done) by bugs.debian.org; 26 Apr 2026 14:46:51 +0000
X-Spam-Checker-Version: SpamAssassin 4.0.1-bugs.debian.org_2005_01_02
 (2024-03-25) on buxtehude.debian.org
X-Spam-Level: 
X-Spam-Status: No, score=-109.2 required=4.0 tests=BAYES_00,DKIMWL_WL_HIGH,
 DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,FROMDEVELOPER,
 HAS_BUG_NUMBER,MD5_SHA1_SUM,SPF_HELO_NONE,SPF_NONE,UNPARSEABLE_RELAY,
 USER_IN_DKIM_WELCOMELIST autolearn=ham autolearn_force=no
 version=4.0.1-bugs.debian.org_2005_01_02
X-Spam-Bayes: score:0.0000 Tokens: new, 11; hammy, 131; neutral, 34; spammy,
 0. spammytokens:
 hammytokens:0.000-+--Hx-spam-relays-external:sk:stravin,
 0.000-+--H*RT:sk:stravin, 0.000-+--Hx-spam-relays-external:311,
 0.000-+--H*RT:311, 0.000-+--H*RT:108
Return-path: &lt;carnil@debian.org&gt;
Received: from stravinsky.debian.org ([2001:41b8:202:deb::311:108]:54354)
 by buxtehude.debian.org with esmtps
 (TLS1.3:ECDHE_SECP256R1__RSA_PSS_RSAE_SHA256__AES_256_GCM:256)
 (Exim 4.96) (envelope-from &lt;carnil@debian.org&gt;) id 1wH0l0-003Wut-34;
 Sun, 26 Apr 2026 14:46:51 +0000
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=debian.org; 
 s=smtpauto.stravinsky;
 h=X-Debian-User:In-Reply-To:Content-Type:MIME-Version:
 References:Message-ID:Subject:Cc:To:From:Date:Reply-To:
 Content-Transfer-Encoding:Content-ID:Content-Description;
 bh=6w6BYiu1d1u2b/svuLiyUTnrkKJ18khKsmoe7wSO88M=; b=kkytgBqu3ch8buT7OQ/8kAsoBY
 p5AhzfwNqtdhtTM45Il8XtgTH7rHZl0mHNMLnMexS5pL2bHip9m2/phst/jr6hnUkYdUefQ07ssMh
 rDcAtMOE3gU+FTlnuygxq9qrVc2nMRj9RxZhrMvA0Eq/+HVI1R4WNHJcTxykwUl2mSla1zZrIo43B
 Nr2DA+AY5aVyBcHt9Il/wbYf9V3TXGtSKHZ4Hk/HtGgcAfXC4UdnWp8EVlp+TwzWmZPJAmMRrab44
 G0a7O21EyRA6pBPcT/cQhM63FtBztdxozi1BgCVl4j/ZnpBetmDQ7dtpsV7/fseMP2wVr7G22NZ+R
 DvKUGLUA==;
Received: from authenticated user by stravinsky.debian.org with esmtpsa
 (TLS1.3:ECDHE_X25519__RSA_PSS_RSAE_SHA256__AES_256_GCM:256)
 (Exim 4.96) (envelope-from &lt;carnil@debian.org&gt;) id 1wH0kz-004mop-01;
 Sun, 26 Apr 2026 14:46:49 +0000
Received: by eldamar.lan (Postfix, from userid 1000)
 id 44782BE2DE0; Sun, 26 Apr 2026 16:46:48 +0200 (CEST)
Date: Sun, 26 Apr 2026 16:46:48 +0200
From: Salvatore Bonaccorso &lt;carnil@debian.org&gt;
To: Holger Levsen &lt;holger@layer-acht.org&gt;
Cc: 1128418@bugs.debian.org, 1128418-done@bugs.debian.org
Subject: Re: Bug#1128418: rust-rpm-sequoia: CVE-2026-2625
Message-ID: &lt;ae4lWF3QVim92wfW@eldamar.lan&gt;
References: &lt;177151173241.698805.351232144081370222.reportbug@eldamar.lan&gt;
 &lt;aZcsOSqmD0ehL17C@layer-acht.org&gt;
 &lt;177151173241.698805.351232144081370222.reportbug@eldamar.lan&gt;
 &lt;aZdSqt4Coo9X7v6a@eldamar.lan&gt;
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: &lt;aZdSqt4Coo9X7v6a@eldamar.lan&gt;
X-Debian-User: carnil

Source: rust-rpm-sequoia
Source-Version: 1.10.2-1

Hi Holger,

On Thu, Feb 19, 2026 at 07:12:58PM +0100, Salvatore Bonaccorso wrote:
&gt; Hi Holger,
&gt; 
&gt; On Thu, Feb 19, 2026 at 03:28:57PM +0000, Holger Levsen wrote:
&gt; &gt; On Thu, Feb 19, 2026 at 03:35:32PM +0100, Salvatore Bonaccorso wrote:
&gt; &gt; &gt; The only available reference at time of writin is [1] the bugzilla
&gt; &gt; &gt; entry at Red Hat. A quick search in [2] has not revealed the issue
&gt; &gt; &gt; beeing reported already, at least I was not able to find it.
&gt; &gt; 
&gt; &gt; thanks for this bug report, Salvatore. Upstream learned about this issue
&gt; &gt; by me telling them about this Debian bug of yours.
&gt; 
&gt; In this case, thanks for having notified upstream.

This apparently has been fixed upstream via
https://github.com/rpm-software-management/rpm-sequoia/commit/fa3c60094fa853ede6b4862e936f246412d700de
in v1.10.2.

Regards,
Salvatore]