On Fri, Mar 12, 2021 at 04:31:59PM +0100, Ludovic Courtès wrote:
> It could be that this CVE is still “pending” (I think that happens
> sometimes).  Do you know more about this one?

I found some references from other distros:

https://access.redhat.com/security/cve/cve-2020-35492
https://security-tracker.debian.org/tracker/CVE-2020-35492

... and the upstream bug report:

https://gitlab.freedesktop.org/cairo/cairo/-/issues/437

My impression of the process around reporting and registering CVE IDs is
that it's somewhat decentralized now, so there can be lack of
coordination between reporters and "canonical" authorities like NIST.