Can upstream help to backport CVE-2025-6176 fix for 1.0.9 release?

[pnemade]

Hi,
I see that brotli-1.0.9 is C++ code and later releases are pure C code.
We saw CVE-2025-6176 fix in 1.2.0 release but there are still many linux distributions which are using brotli-1.0.9 release.
Is it possible for upstream to provide this CVE fix patch release for brotli-1.0.9 ?

[pnemade]

@robryk can you help?

[Dreamsorcerer]

Note that the fix changes the API to add a new parameter that developers can use to limit the output (e.g. aio-libs/aiohttp#11898). You would need to update all dependents to use that new API in order to resolve any security issues, at which point maybe it's easier to just update the dependency for them to 1.2...

Backporting the fix to brotli and then not updating any other projects would resolve nothing.