Comment 4 for bug 1994989

We (security team) prefer to patch the vulnerability instead of bumping versions, as this not only brings security fixes but bug fixes, new features and probably new dependencies that could eventually cause api/abi issues to users. So for the sake of stability we prefer to patch the vulnerability.

After you apply the patch, build it and test it, you can send us the generated debdiff.

I do notice that the patch you attached is a bit different from the one upstream actually applied, you might want to use upstreams in this case, just to keep consistency.