Hi, I wrote a bit about our handling of CVE-2019-12900 and the bzip2 1.0.7 and 1.0.8 releases. https://gnu.wildebeest.org/blog/mjw/2019/08/02/bzip2-and-the-cve-that-wasnt/ Please do leave a comment if I got something wrong. Thanks, Mark