Hi, Jonathan Wiltshire <[email protected]> (2026-01-26): > On Sat, Jan 24, 2026 at 10:29:25AM +0100, Tobias Frost wrote: > > Package: release.debian.org > > Severity: normal > > Tags: trixie > > X-Debbugs-Cc: [email protected], [email protected] > > Control: affects -1 + src:libpng1.6 > > User: [email protected] > > Usertags: pu > > > > Upstream has released a new upstream version fixing two CVEs: > > - CVE-2026-22801 - Heap buffer over-read (Closes: #1125444 > > - CVE-2026-22695 - Heap buffer over-read (Closes: #1125443) > > > > CVE-2026-22695 has been introduced by CVE-2025-65018, fixed in trixie > > via 1.6.48-1+deb13u1. > > > > I've coordinated with the security team and we've settled on updating > > the issues via s-p-u. > > d-i ack required for the udeb.
Sorry I also lost track of that one. This should be fine, and it's been obsoleted by the security update anyway. Both lgtm. Cheers, -- Cyril Brulebois ([email protected]) <https://debamax.com/> D-I release manager -- Release team member -- Freelance Consultant
signature.asc
Description: PGP signature
