[Debian-med-packaging] Bug#1093043: dcmtk: leftover CVE status.
Salvatore Bonaccorso
carnil at debian.org
Wed Feb 12 06:56:37 GMT 2025
Hi Étienne
On Tue, Feb 11, 2025 at 10:24:33PM +0100, Étienne Mollier wrote:
> Hi Salvatore,
>
> Salvatore Bonaccorso, on 2025-02-09:
> > Regarding CVE-2024-28130, should we ignore it for fixing in bookworm
> > if it is too risky for regressions?
>
> With the first batch of CVEs addressed in proposed-updates, I
> could take a fresher look at the patch set. I thought I would
> hit a brick wall, but instead I seem to have an implementation:
>
> * which includes the necessary upstream changes;
> * which does not cause regressions in autpkgtest of reverse
> dependencies;
> * which does not cause build failure of reverse build
> dependencies;
> * which does not regress like what could be observed in the
> bug #1095072.
>
> I can't really recall why I didn't manage to get anywhere
> earlier; perhaps I messed the order of the patches. My changes
> are available on Salsa[1] for those who are curious. There are
> a lot of changes introduced by the patches, so it could be still
> deemed risky, but I now think I might be able to justify them to
> the Stable Release Managers.
>
> [1]: https://salsa.debian.org/med-team/dcmtk/-/tree/debian/bookworm?ref_type=heads
>
> Have a good evening, :)
Thanks a lot for your work, and for providing this status update. Then
I suggest that we do not not ignore the remaining CVEs and you can
address this equally trough the point release.
Thanks again!
Regards,
Salvatore
More information about the Debian-med-packaging
mailing list