Control: tags -1 - moreinfo On Tue, Apr 28, 2026 at 11:54:56AM +0300, Adrian Bunk wrote: > Package: release.debian.org > Severity: normal > Tags: trixie moreinfo > X-Debbugs-Cc: [email protected], [email protected] > Control: affects -1 + src:jpeg-xl > User: [email protected] > Usertags: pu > > This update fixes two separate issues that would each warrant > a trixie update: > > 1. The change in the new upstream version are 3 security fixes > (one without a CVE assigned). > > 2. The package does FTBFS in trixie on s390x and riscv64 > due to building with gcc-13 there (#1110520): > - using gcc-13 on s390x was a workaround for what is now fixed > properly with Fix-modular-on-big-endian-machines-4095.patch > - using gcc-13 on riscv64 was a (non-working) workaround attempt > that was not reverted when the issue was actually fixed with > a different change in the next upload > > The cross/nojava changes in 0.11.1-6 look harmless to me, > but I can revert them if requested. > > The new upstream release has been in forky for a month and the > gcc/endian changes for over half a year without any regressions > reported in the bts. > > Tagged moreinfo, as question to the security team whether they want > this in pu or as DSA. > > Backporting CVE-2025-12474 to bookworm might be doable but would > not be trivial due to depending on other changes.
Given the point releases around the corner I think it does make more sense to include such an update together with others in the point releases upcoming. So rather target it than a DSA. Thanks for reparing the update. Regards Salvatore
