Re: Taking from backports - icingaweb2
Hi Ahijith,
On Thu, Jun 2, 2022 at 5:50 PM Abhijith PA <abhijith@disroot.org> wrote:
> Package icingaweb2 (2.4) in stretch have around 9 open CVEs. Most of
> them fixed in upstream v2.6. There isn't isolated patches available
> for CVE-2018-18246 to CVE-2018-18250.
>
> The changes from 2.4 .. 2.6 is pretty large and not much descriptive
> to comb through and cherry pick. I have pinged upstream security team
> to help, unfortunately they couldn't single out the patches. So I was
> wondering whether its ok to upload v2.6 from stretch-backports to
> -security and fix remaining CVEs on top of that.
I think that'd make sense, particularly when the said package is
already in the -backports pocket.
But that said, do make a note of:
$ reverse-depends src:icingaweb2
Reverse-Recommends
* education-main-server [amd64 arm64 armel armhf i386 mips64el mipsel
ppc64el s390x]
Reverse-Depends
* icingaweb2-module-audit (for icingaweb2)
* icingaweb2-module-boxydash (for icingaweb2)
* icingaweb2-module-businessprocess
* icingaweb2-module-businessprocess
* icingaweb2-module-cube (for icingaweb2)
* icingaweb2-module-director (for icingaweb2-module-monitoring)
* icingaweb2-module-director (for icingaweb2)
* icingaweb2-module-eventdb (for icingaweb2)
* icingaweb2-module-fileshipper
* icingaweb2-module-generictts
* icingaweb2-module-generictts
* icingaweb2-module-graphite (for icingaweb2)
* icingaweb2-module-idoreports
* icingaweb2-module-incubator (for icingaweb2)
* icingaweb2-module-ipl (for icingaweb2)
* icingaweb2-module-map (for icingaweb2)
* icingaweb2-module-nagvis (for icingaweb2)
* icingaweb2-module-pdfexport (for icingaweb2)
* icingaweb2-module-pnp (for icingaweb2)
* icingaweb2-module-reactbundle
* icingaweb2-module-reporting (for icingaweb2)
* icingaweb2-module-statusmap (for icingaweb2)
* icingaweb2-module-toplevelview
* icingaweb2-module-toplevelview
* icingaweb2-module-x509 (for icingaweb2)
Packages without architectures listed are reverse-dependencies in:
all, amd64, arm64, armel, armhf, i386, mips64el, mipsel, ppc64el,
s390x
$ reverse-depends -b src:icingaweb2
No reverse dependencies found
So ideally since the package is in the -backports pocket, I don't
think it'd be a problem but do make sure that you at least test the
package so it doesn't introduce any regressions or anything. Hope that
helps.
- u
Reply to: