Hi Arnaud,
> I worked on an update, please find a new debdiff attached.
I'm not part of the stable release managers, but I'm working
on an equivalent update for 3.13, so I also did pass over
your 3.11 patch.
> > And there's several cases like e.g. for CVE-2025-11468:
> > [...]
> > Why didn't you use the corresponding fixes
> > from the 3.11 branch instead
>
> I updated the patch series, cherry-picked every patch from 3.11 (when
> avail), and also refreshed the patches so that the diff with upstream
> patches is minimal. Hopefully it's now easy to review.
I've reviewed your debdiff and it looks all good, except one
thing: The patch for CVE-2026-3644 is from an unmerged PR,
which hasn't been reviewed, I think it's better to keep it out
until it's properly reviewed and merged into the 3.11 upstream
breanch.
> > CVE-2025-15366, CVE-2025-15367: potential regressions
> > are being investigated [...] not backported to released
> > branches (probably won't be)
>
> I removed these 2 from the patch series.
I've also marked these as <ignored> in the Debian Security Tracker.
> I don't know if those new CVEs needs to go through DSA though, I pinged
> security team on IRC.
These are fairly harmless and fine via the next point release.
Cheers,
Moritz
