Am 08.10.22 um 12:33 schrieb Sebastien CHAVAUX:
To my knowledge, CVE-2022-39209 concerns versions of cmark-gfm before 0.29.0.gfm.3 and 0.28.3.gfm.21:This vulnerability has been patched in the following cmark- | gfm versions 0.29.0.gfm.3 and 0.28.3.gfm.21.https://security-tracker.debian.org/tracker/CVE-2022-24724
That is right for CVE-2022-24724 but CVE-2022-39209 != CVE-2022-24724.
I replaced the lintian message in debian/source/lintian-overrides precisely to avoid an overflow error, in short, it's been done since a yawn without ever causing any problems, for proof it's already the case in the ghostwriter version in backport (2.0.2-2~bpo11+1), that's what I was advised to do at the time.
I do not know what that means. I do not care about the lintian override but the non-source files.