From: carnil@debian.org   
      
   Hi Fabian,   
      
   On Sat, Feb 14, 2026 at 10:40:49AM +0100, Fabian Grünbichler wrote:   
   > On Mon, 05 Jan 2026 17:38:15 +0100 Salvatore Bonaccorso    
   wrote:   
   > > Source: rust-gix-date   
   > > Version: 0.9.3-1   
   > > Severity: important   
   > > Tags: security upstream   
   > > Forwarded: https://github.com/GitoxideLabs/gitoxide/issues/2305   
   > > X-Debbugs-Cc: carnil@debian.org, Debian Security Team    
   > >   
   > > Hi   
   > >   
   > > From https://rustsec.org/advisories/RUSTSEC-2025-0140.html:   
   > > | The function gix_date::parse::TimeBuf::as_str can create an illegal   
   > > | string containing non-utf8 characters. This violates the safety   
   > > | invariant of TimeBuf and can lead to undefined behavior when consuming   
   > > | the string.   
   > > |   
   > > | The bug can be prevented by adding str::from_utf8 to the function   
   > > | TimeBuf::write.   
   >   
   > FWIW, upstream considers this a non-issue within the reference frame of   
   > gitoxide[0], for which this crate was packaged (it's used by cargo). As such,   
   > I think we can wait for the upgrade to 0.12 to happen naturally (which   
   > will still take a bit), and not considers this issue important.   
   >   
   > If you disagree, and want the Rust team to evaluate backporting the fix,   
   > please say so!   
      
   Yes sounds good, thank you. FWIW, we marked it as well no-dsa for   
   trixie.   
      
   Regards,   
   Salvatore   
      
   --- SoupGate-Win32 v1.05   
    * Origin: you cannot sedate... all the things you hate (1:229/2)