On Mon, Apr 13, 2026 at 10:19:06AM +0100, Simon McVittie wrote:
> On Sun, 12 Apr 2026 at 17:41:22 +0000, Moritz Mühlenhoff wrote:
> > > On Tue, 07 Apr 2026 at 21:09:26 +0100, Simon McVittie wrote:
> > > debdiff and source package here:
> > > https://people.debian.org/~smcv/temp/2026/CVE-2026-34080/
> > >
> > > functionally-equivalent test-build with a slightly lower version number:
> > > https://people.debian.org/~smcv/temp/2026/CVE-2026-34080/testbuild/
> >
> > Let's also fix this via a DSA. debdiff looks good, please build with -sa
> > and upload to security-master.
>
> Uploaded.
Thanks, the DSA has been released!
> I'll try to get to the bookworm backport at some point, probably
> as a batch with backporting the recent security fix for flatpak (it makes
> sense to test them together, even if they aren't necessarily released
> together).
Thanks, we can release/test these together whenever ready.
As or the remaining related security issue (xdg-desktop-portal), I'm inclined
to not fix this via a DSA, the impact seem really limited. But if you prefer
to also see this fix via security.d.o we can surely also revisit.
Cheers,
Moritz
