Control: tags -1 - moreinfo Hi Adrian,
On Wed, Dec 04, 2024 at 11:29:46PM +0200, Adrian Bunk wrote: > Package: release.debian.org > Severity: normal > Tags: bookworm moreinfo > User: release.debian....@packages.debian.org > Usertags: pu > X-Debbugs-Cc: secur...@debian.org, Matthias Klose <d...@debian.org> > > * CVE-2023-27043: Reject malformed addresses in email.parseaddr() > (Closes: #1059298) > * CVE-2024-6923: Encode newlines in headers in the email module > * CVE-2024-7592: Quadratic complexity parsing cookies with backslashes > * CVE-2024-9287: venv activation scripts did't quote paths > * CVE-2024-11168: urllib functions improperly validated bracketed hosts > > Tagged moreinfo, as question to the security team whether they want > this in -pu or as DSA. yes the point release route and batching this update together with oters seems fine, in particular given the next point release is scheduled to be in ~1 month. Regards, Salvatore
