Control: tags -1 wontfix Control: severity -1 important The Debian version is too old to contain this CVE. https://github.com/advisories/GHSA-pfh2-hfmq-phg5 has "Affected versions: >= 2.2.0, < 2.9.0"
So this should not be RC for now. When the package is updated to another version make sure that the fix is included.
