Sorry for the late reply, got backlogged in my inbox.
Am Mon, Apr 12, 2021 at 11:18:16AM +0100 schrieb Ximin Luo:
> It looks like these CVEs affect all versions up to 1.52 (which is not yet
> released).
>
> Do you have links to patches fixing these bugs that can be backported to
> 1.48? We've had 1.48 for a while due to the migration freeze, and I've been
> informed that some rust packages in Debian break with newer versions of rustc
> and will need themselves to be updated - so I'd rather not force that during
> the freeze, I'd rather backport security fixes to 1.48.
Not sure if there are backports for 1.48, if these aren't easily
backportable, let's bullseye-ignore them for now. The next rustc update
for the subsequent Mozilla ESR will catch up with those anyway.
Cheers,
Moritz
