Version 0.124.1-1 of hugo is marked for autoremoval from testing on Sun 02 Jun 2024. It depends (transitively) on golang-github-hanwen-go-fuse, affected by #1069310. You should try to prevent the removal by fixing these RC bugs.
CVE-2024-32875:
Hugo is a static site generator. Starting in version 0.123.0 and prior to version 0.125.3, title arguments in Markdown for links and images not escaped in internal render hooks. Hugo users who are impacted are those who have these hooks enabled and do not trust their Markdown content files. The issue is patched in v0.125.3. As a workaround, replace the templates with user defined templates or disable the internal templates.
CVE-2024-32875:
Hugo is a static site generator. Starting in version 0.123.0 and prior to version 0.125.3, title arguments in Markdown for links and images not escaped in internal render hooks. Hugo users who are impacted are those who have these hooks enabled and do not trust their Markdown content files. The issue is patched in v0.125.3. As a workaround, replace the templates with user defined templates or disable the internal templates.
vcswatch reports that
this package seems to have a new changelog entry (version
0.125.4-1, distribution
unstable) and new commits
in its VCS. You should consider whether it's time to make
an upload.
Standards version of the package is outdated.
wishlist
The package should be updated to follow the last version of Debian Policy
(Standards-Version 4.7.0 instead of
4.6.2).