Hi Étienne On Tue, Feb 11, 2025 at 10:24:33PM +0100, Étienne Mollier wrote: > Hi Salvatore, > > Salvatore Bonaccorso, on 2025-02-09: > > Regarding CVE-2024-28130, should we ignore it for fixing in bookworm > > if it is too risky for regressions? > > With the first batch of CVEs addressed in proposed-updates, I > could take a fresher look at the patch set. I thought I would > hit a brick wall, but instead I seem to have an implementation: > > * which includes the necessary upstream changes; > * which does not cause regressions in autpkgtest of reverse > dependencies; > * which does not cause build failure of reverse build > dependencies; > * which does not regress like what could be observed in the > bug #1095072. > > I can't really recall why I didn't manage to get anywhere > earlier; perhaps I messed the order of the patches. My changes > are available on Salsa[1] for those who are curious. There are > a lot of changes introduced by the patches, so it could be still > deemed risky, but I now think I might be able to justify them to > the Stable Release Managers. > > [1]: > https://salsa.debian.org/med-team/dcmtk/-/tree/debian/bookworm?ref_type=heads > > Have a good evening, :)
Thanks a lot for your work, and for providing this status update. Then I suggest that we do not not ignore the remaining CVEs and you can address this equally trough the point release. Thanks again! Regards, Salvatore
