Dear Security team, I've tried reaching out to the nghttp2 upstream maintainer, but have not received any feedback so far. Would you be willing to help with getting those changes reviewed?
Trixie: https://salsa.debian.org/debian/nghttp2/-/merge_requests/12 Bookworm: https://salsa.debian.org/debian/nghttp2/-/merge_requests/11 The lack of review in trixie/bookworm is currently blocking the release of those fixes for Debian (E)LTS series (stretch/buster/bullseye). Cheers, Lukas ---------- Forwarded message --------- Von: Lukas Date: Fr., 17. Apr. 2026 um 08:54 Uhr Subject: [nghttp2] Debian CVE-2023-44487 backports To: Tatsuhiro Dear Tatsuhiro, This is Lukas from the Debian LTS team. I've been working on LTS backports for CVE-2023-44487. And while on it, I also backported your patches to Debian Stable (trixie) and Oldstable (bookworm). After coordinating with the Debian Security Team (jmm specifically), they mentioned that you'd already been involved with preparing such backports for Debian (old-)stable. Maybe you'd be interested in reviewing my work, so we can avoid duplication? Trixie: https://salsa.debian.org/debian/nghttp2/-/merge_requests/12 Bookworm: https://salsa.debian.org/debian/nghttp2/-/merge_requests/11 Please let me know what you think. Best regards, Lukas
