l...@gnu.org (Ludovic Courtès) skribis: > The libxml2/libxslt issues are actually patched, but since we didn’t > change the version number, the tool assumes that our packages are > vulnerable. We should change version numbers in the future when > patching vulnerabilities.
Alternately, ‘lint’ could check the package’s patches and silence the warning if there are patches whose name contain the offending CVE ID. That way it would still catch vulnerabilities later reported for that version. Thoughts? Ludo’.
