Re: xymon vulnerabilities in jessie, stretch and buster
- To: Hugo Lefeuvre <hle@debian.org>
- Cc: "Adam D. Barratt" <adam@adam-barratt.org.uk>, Moritz Mühlenhoff <jmm@inutil.org>, team@security.debian.org, debian-lts@lists.debian.org, myon@debian.org
- Subject: Re: xymon vulnerabilities in jessie, stretch and buster
- From: Axel Beckert <abe@debian.org>
- Date: Fri, 23 Aug 2019 15:52:47 +0200
- Message-id: <[🔎] 20190823135245.zwvfnrpc2ieycinv@sym.noone.org>
- Mail-followup-to: Hugo Lefeuvre <hle@debian.org>, "Adam D. Barratt" <adam@adam-barratt.org.uk>, Moritz Mühlenhoff <jmm@inutil.org>, team@security.debian.org, debian-lts@lists.debian.org, myon@debian.org
- In-reply-to: <[🔎] 20190823124800.jbtwunhgfwedy4jg@behemoth.owl.eu.com.local>
- References: <[🔎] 20190819122709.xwr3b4odkavpa4ug@behemoth.owl.eu.com.local> <[🔎] 20190819195405.GA1699@pisco.westfalen.local> <[🔎] 1af7a93319d2382265562601fa577c28@mail.adam-barratt.org.uk> <[🔎] 20190823124800.jbtwunhgfwedy4jg@behemoth.owl.eu.com.local>
Hi,
Hugo Lefeuvre wrote:
> Anyways, 4.3.29 introduced quite a few regressions[0], we should probably wait
> for 4.3.30.
I would neither upload 4.3.29 nor 4.3.30 to Jessie but only the
minimal patch plus the hostname regex regression patch as I do for
Stretch and Buster.
Also someone needs first to verify that the Xymon upstream version in
Jessie (IIRC 4.3.17) is actually vulnerable. Upstream didn't specify
if any version before 4.3.28 is affected, too.
Regards, Axel
--
,''`. | Axel Beckert <abe@debian.org>, https://people.debian.org/~abe/
: :' : | Debian Developer, ftp.ch.debian.org Admin
`. `' | 4096R: 2517 B724 C5F6 CA99 5329 6E61 2FF9 CD59 6126 16B5
`- | 1024D: F067 EA27 26B9 C3FC 1486 202E C09E 1D89 9593 0EDE
Reply to: