Sorry for the late reply, got backlogged in my inbox. Am Mon, Apr 12, 2021 at 11:18:16AM +0100 schrieb Ximin Luo: > It looks like these CVEs affect all versions up to 1.52 (which is not yet > released). > > Do you have links to patches fixing these bugs that can be backported to > 1.48? We've had 1.48 for a while due to the migration freeze, and I've been > informed that some rust packages in Debian break with newer versions of rustc > and will need themselves to be updated - so I'd rather not force that during > the freeze, I'd rather backport security fixes to 1.48.
Not sure if there are backports for 1.48, if these aren't easily backportable, let's bullseye-ignore them for now. The next rustc update for the subsequent Mozilla ESR will catch up with those anyway. Cheers, Moritz