Hi Salvatore, On Fri, Feb 04, 2022 at 09:17:04PM +0100, Salvatore Bonaccorso wrote: > […] > The issue has been assigned CVE-2021-46671. > > Andreas, unless I miss something crucial, I think this issue can be > fixed in the upcoming point releases and does not require a DSA.
With Johannes' help I was able to reproduce the bug: It looks like only very special circumstances lead to the described information leak. (For example, with option '--verbose', it did not work). So no DSA and a fix via proposed updates is perfectly fine. PUs are tracked/asked for in #1004999 and #1005000. Thanks and best regards, Andi