It does have backports, and I think that’s the issue… we’re only looking forward from 2026.4.2 → 2026.6 and pulling “these are the security fixes in this version” without looking back to see if your version already received them.
Is that right @david? the fix would be checking if the current version has the same patches as the new version and excluding the matches?
Yeah that’s exactly right, it’s just an artefact of how the release site does the comparisons. We backport all security fixes to all currently-supported releases.
I’ll see if we can add some logic to make the cross-release comparisons work better on the site
Yes. 2026.6.0-latest came before 2026.6.0, and most commits labelled 2026.6.0-latest are vulnerable to these security issues.
So if people are running 2026.6.0-latest, they need to update to 2026.7.0-latest. (or 2026.6.0, but that would mean switching to the ‘release’ channel instead of ‘latest’)
Hmm, OK, I see that, thanks. I was expecting the actual label for -latest is sitting at the latest version of that flavour.
The actual problem I’m trying to solve, or the question I will regularly be trying to answer, is whether my installation will benefit from important security fixes if I update to some particular later version. So I’m hoping to get a list of fixes which are in that later version, relative to my current version, and then read up on them to see if they apply or if they look severe. (For example, anything about chat or inbound email doesn’t apply to my installations.)
Does that make sense? I’m trying to update when I believe I need to, and otherwise as little as I can.