LGTM. I didn't look at the patches, but adding a libtiff/fixed package and using the replacement field in libtiff is my understanding of how security updates should be done.
- libtiff security update (multiple CVEs) Leo Famulari
- Re: libtiff security update (multiple CVEs) Leo Famulari
- Re: libtiff security update (multiple CVEs) David Craven
- Re: libtiff security update (multiple CVEs) Leo Famulari
