Hello Michael, you are still listed in dla-needed.txt as the owner of Gosa. Apparently you already prepared a debdiff and sent it to the security team but it was never released. Would it be possible to share it with us? Or can you confirm that the following patches from Jessie will resolve this issue? https://tracker.debian.org/media/packages/g/gosa/changelog-2.7.4%2Breloaded2-1%2Bdeb8u2 CVE-2015-8771: 0006_code-injection-in-samba-hash-generation.patch, 0007_update-sambaHashHook-description.patch. Fix potential code injection issue in Samba hash generation. (CVE-2015-8771) CVE-2014-9760: https://sources.debian.net/src/gosa/2.7.4%2Breloaded2-12/debian/patches/0003_xss-vulnerability-on-login-screen.patch/ Regards Markus
Attachment:
signature.asc
Description: OpenPGP digital signature