Re: Accepted zabbix 1:5.0.46+dfsg-1+deb11u1 (source) into oldstable-security
Hi Tobi,
On Sat, Apr 19, 2025 at 11:10:23AM +0000, Debian FTP Masters wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA512
>
> Format: 1.8
> Date: Sat, 19 Apr 2025 12:40:39 +0200
> Source: zabbix
> Architecture: source
> Version: 1:5.0.46+dfsg-1+deb11u1
> Distribution: bullseye-security
> Urgency: medium
> Maintainer: Dmitry Smirnov <onlyjob@debian.org>
> Changed-By: Tobias Frost <tobi@debian.org>
> Changes:
> zabbix (1:5.0.46+dfsg-1+deb11u1) bullseye-security; urgency=medium
> .
> * Non maintainer upload by the LTS team.
> * Updating to latest upstream LTS release of the 5.0.x series.
> - Refreshing patch java-gateway.patch
> (upstream embedded libs changes versions, but we are using packaged versions.)
> - Refreshing patch CVE-2024-36461.patch and CVE-2024-42331.patch due to
> upstream changes.
> - Drop CVE-2024-42330.patch, has been included in new upstream release.
> * New upstream LTS release adresses:
> - CVE-2024-36469 - user enumeration via timing attack.
> - CVE-2024-42325 - information disclosure.
> * Backport upstream fixes:
> - CVE-2024-45699 - Cross-site Scripting (XSS)
> - CVE-2024-45700 - Denial of Service
I meant to write this already some uploads back, but then I forgot,
taking now the opportunity while the upload is fresh :)
As this is the import of a new upstream version on top of the
packaging and not an incrmental patching on top of the already present
1:5.0.46+dfsg-1, please consider using as version either
1:5.0.46+dfsg-0+deb11u1
or
1:5.0.46+dfsg-1~deb11u1
(even if 1:5.0.46+dfsg-1 was never present in a upload).
Similar cases covered by php, mariadb, firefox-esr, thunderbird,
although there are some notable exceptions (for instance src:linux).
HTH,
Regards,
Salvatore
Reply to: