[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#958850: stretch-pu: package gosa/2.7.4+reloaded2-13+deb9u3

Hi Julien,

Am Sonntag, 26. April 2020 schrieb Julien Cristau:
> Control: tag -1 moreinfo
> 
> Hi Mike,
> 
> On Sat, Apr 25, 2020 at 09:57:01PM +0200, Mike Gabriel wrote:
> > Package: release.debian.org
> > Severity: normal
> > Tags: stretch
> > User: release.debian.org@packages.debian.org
> > Usertags: pu
> > 
> > Dear release team,
> > 
> > this is a follow-up for #927433 (about +deb9u2).
> > 
> > +  * debian/patches/1047_CVE-2019-14466-1_replace_unserialize_with_json_
> > +    encode+json_decode.patch:
> > +    + Replace (un)serialize with json_encode/json_decode to mitigate PHP object
> > +      injection (CVE-2019-14466).
> > 
> > Since I last uploaded the stretch-pu of gosa, one more CVE issue got
> > known and already addressed in the Git branch.
> > 
> > I will follow-up with a +deb9u3 upload on the +deb9u2 upload. Luckily,
> > this one is not as massive as the +deb9u2 one.
> > 
> Which package versions fix this for buster and sid?
> 
> Cheers,
> Julien

see...
https://security-tracker.debian.org/tracker/CVE-2019-14466

in fact, CVE-2019-14466 has not been fixed in buster, yet. I thought I had, obviously had not. I can prepare an upload for that tomorrow.

The gosa in sid, regarding CVE-2019-14466,  got fixed in 2.7.4+reloaded3-10.

Greets,
Mike

-- 
Gesendet von meinem Sailfish Gerät
Reply to: