Confused about security fixes as reported at releases.discourse.org

For example, I’m on 2026.4.2 which is reported as fixing 25 security bugs compared to 2026.4

As 2026.4.2 is very recent, I’d expect it to have backports of most or all security fixes found in 2026.6 which was released at about the same time.

But no, again I see 25 security bugs fixed. I rather suspect they are the same ones.

Indeed, 2026.6 is reported as fixing - guess what - 25 security bugs compared to 2026.4.2

Is it perhaps the case that point releases are not being accurately reported?

I expect it to be true that being on 2026.4.2 is about as safe as being on 2026.6.0 and if so, to see that in the release comparison.

It does have backports, and I think that’s the issue… we’re only looking forward from 2026.4.2 → 2026.6 and pulling “these are the security fixes in this version” without looking back to see if your version already received them.

Is that right @david? the fix would be checking if the current version has the same patches as the new version and excluding the matches?

Yeah that’s exactly right, it’s just an artefact of how the release site does the comparisons. We backport all security fixes to all currently-supported releases.

I’ll see if we can add some logic to make the cross-release comparisons work better on the site :eyes:

This will solve it:

Thanks - can confirm that no security fixes are now shown from 2026.4.2 to 2026.6 which is as expected.

A related question, though. On the releases page the presently in-progress 2026.7 offers two links:

The second of those takes us to

which presently shows 11 security fixes, relative to v2026.6.0-latest. Is that right? A quick check of three of them show them all patched in 2026.6.0

Yes. 2026.6.0-latest came before 2026.6.0, and most commits labelled 2026.6.0-latest are vulnerable to these security issues.

So if people are running 2026.6.0-latest, they need to update to 2026.7.0-latest. (or 2026.6.0, but that would mean switching to the ‘release’ channel instead of ‘latest’)

Hmm, OK, I see that, thanks. I was expecting the actual label for -latest is sitting at the latest version of that flavour.

The actual problem I’m trying to solve, or the question I will regularly be trying to answer, is whether my installation will benefit from important security fixes if I update to some particular later version. So I’m hoping to get a list of fixes which are in that later version, relative to my current version, and then read up on them to see if they apply or if they look severe. (For example, anything about chat or inbound email doesn’t apply to my installations.)

Does that make sense? I’m trying to update when I believe I need to, and otherwise as little as I can.