Re: Taking from backports - icingaweb2

To: Debian LTS <debian-lts@lists.debian.org>
Subject: Re: Taking from backports - icingaweb2
From: Utkarsh Gupta <guptautkarsh2102@gmail.com>
Date: Fri, 3 Jun 2022 16:45:38 +0530
Message-id: <[🔎] CAPP0f95M4f+2n8Cn38U1q36Zvy=Ks3OetfbcxwgE=OJTRd6RZQ@mail.gmail.com>
In-reply-to: <Ypiq3v9E/Gl+DJyb@disroot.org>
References: <Ypiq3v9E/Gl+DJyb@disroot.org>

Hi Ahijith,

On Thu, Jun 2, 2022 at 5:50 PM Abhijith PA <abhijith@disroot.org> wrote:
> Package icingaweb2 (2.4) in stretch have around 9 open CVEs. Most of
> them fixed in upstream v2.6. There isn't isolated patches available
> for CVE-2018-18246 to CVE-2018-18250.
>
> The changes from 2.4 .. 2.6 is pretty large and not much descriptive
> to comb through and cherry pick. I have pinged upstream security team
> to help, unfortunately they couldn't single out the patches. So I was
> wondering whether its ok to upload v2.6 from stretch-backports to
> -security and fix remaining CVEs on top of that.

I think that'd make sense, particularly when the said package is
already in the -backports pocket.

But that said, do make a note of:
$ reverse-depends src:icingaweb2
Reverse-Recommends
* education-main-server [amd64 arm64 armel armhf i386 mips64el mipsel
ppc64el s390x]

Reverse-Depends
* icingaweb2-module-audit       (for icingaweb2)
* icingaweb2-module-boxydash    (for icingaweb2)
* icingaweb2-module-businessprocess
* icingaweb2-module-businessprocess
* icingaweb2-module-cube        (for icingaweb2)
* icingaweb2-module-director    (for icingaweb2-module-monitoring)
* icingaweb2-module-director    (for icingaweb2)
* icingaweb2-module-eventdb     (for icingaweb2)
* icingaweb2-module-fileshipper
* icingaweb2-module-generictts
* icingaweb2-module-generictts
* icingaweb2-module-graphite    (for icingaweb2)
* icingaweb2-module-idoreports
* icingaweb2-module-incubator   (for icingaweb2)
* icingaweb2-module-ipl         (for icingaweb2)
* icingaweb2-module-map         (for icingaweb2)
* icingaweb2-module-nagvis      (for icingaweb2)
* icingaweb2-module-pdfexport   (for icingaweb2)
* icingaweb2-module-pnp         (for icingaweb2)
* icingaweb2-module-reactbundle
* icingaweb2-module-reporting   (for icingaweb2)
* icingaweb2-module-statusmap   (for icingaweb2)
* icingaweb2-module-toplevelview
* icingaweb2-module-toplevelview
* icingaweb2-module-x509        (for icingaweb2)

Packages without architectures listed are reverse-dependencies in:
all, amd64, arm64, armel, armhf, i386, mips64el, mipsel, ppc64el,
s390x

$ reverse-depends -b src:icingaweb2
No reverse dependencies found

So ideally since the package is in the -backports pocket, I don't
think it'd be a problem but do make sure that you at least test the
package so it doesn't introduce any regressions or anything. Hope that
helps.


- u

Reply to:

Follow-Ups:
- Re: Taking from backports - icingaweb2
  - From: Abhijith PA <abhijith@disroot.org>

References:
- Taking from backports - icingaweb2
  - From: Abhijith PA <abhijith@disroot.org>

Prev by Date: LTS report for May 2022 - Abhijith
Next by Date: Pending pdns updates
Previous by thread: Taking from backports - icingaweb2
Next by thread: Re: Taking from backports - icingaweb2
Index(es):
- Date
- Thread