Hi Julien, On So 26 Apr 2020 18:37:27 CEST, Julien Cristau wrote:
Control: tag -1 moreinfo Hi Mike, On Sat, Apr 25, 2020 at 09:57:01PM +0200, Mike Gabriel wrote:Package: release.debian.org Severity: normal Tags: stretch User: release.debian.org@packages.debian.org Usertags: pu Dear release team, this is a follow-up for #927433 (about +deb9u2). + * debian/patches/1047_CVE-2019-14466-1_replace_unserialize_with_json_ + encode+json_decode.patch:+ + Replace (un)serialize with json_encode/json_decode to mitigate PHP object+ injection (CVE-2019-14466). Since I last uploaded the stretch-pu of gosa, one more CVE issue got known and already addressed in the Git branch. I will follow-up with a +deb9u3 upload on the +deb9u2 upload. Luckily, this one is not as massive as the +deb9u2 one.Which package versions fix this for buster and sid?
The buster-pu (+deb10u2) has now been filed as #958969. Greets, Mike -- mike gabriel aka sunweaver (Debian Developer) mobile: +49 (1520) 1976 148 landline: +49 (4351) 486 14 27 GnuPG Fingerprint: 9BFB AEE8 6C0A A5FF BF22 0782 9AF4 6B30 2577 1B31 mail: sunweaver@debian.org, http://sunweavers.net
Attachment:
pgp6J2WklnyYJ.pgp
Description: Digitale PGP-Signatur