Bug#1041810: librsvg: CVE-2023-38633
Simon McVittie
smcv at debian.org
Sun Jul 30 21:48:57 BST 2023
On Sun, 30 Jul 2023 at 22:04:24 +0200, Salvatore Bonaccorso wrote:
> For bullseye I think we should simply pick the upstream commit?
Yes: we didn't keep up with upstream 2.50.x so there are a bunch of
unrelated fixes (2.50.4 up to .7) which would be out of scope for a
security update. If it was a package I knew better then I might be
advocating the new upstream release, but I can't really assess risk vs
benefit for librsvg, so cherry-picking the equivalent of .8 and .9 seems
more conservative.
<https://salsa.debian.org/gnome-team/librsvg/-/merge_requests/20>
compiles successfully, I'll try it in a bullseye VM next.
smcv
More information about the pkg-gnome-maintainers
mailing list