1 issue left for the package maintainer to handle:
CVE-2022-4899:
(needs triaging)
A vulnerability was found in zstd v1.4.10, where an attacker can supply empty string as an argument to the command line tool to cause buffer overrun.
Among the 9 debian patches
available in version 1.5.5+dfsg2-2 of the package,
we noticed the following issues:
8 patches
where the metadata indicates that the patch has not yet been forwarded
upstream. You should either forward the patch upstream or update the
metadata to document its real status.