[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#958850: stretch-pu: package gosa/2.7.4+reloaded2-13+deb9u3



Hi Julien,

On  So 26 Apr 2020 18:37:27 CEST, Julien Cristau wrote:

Control: tag -1 moreinfo

Hi Mike,

On Sat, Apr 25, 2020 at 09:57:01PM +0200, Mike Gabriel wrote:
Package: release.debian.org
Severity: normal
Tags: stretch
User: release.debian.org@packages.debian.org
Usertags: pu

Dear release team,

this is a follow-up for #927433 (about +deb9u2).

+  * debian/patches/1047_CVE-2019-14466-1_replace_unserialize_with_json_
+    encode+json_decode.patch:
+ + Replace (un)serialize with json_encode/json_decode to mitigate PHP object
+      injection (CVE-2019-14466).

Since I last uploaded the stretch-pu of gosa, one more CVE issue got
known and already addressed in the Git branch.

I will follow-up with a +deb9u3 upload on the +deb9u2 upload. Luckily,
this one is not as massive as the +deb9u2 one.

Which package versions fix this for buster and sid?

The buster-pu (+deb10u2) has now been filed as #958969.

Greets,
Mike
--

mike gabriel aka sunweaver (Debian Developer)
mobile: +49 (1520) 1976 148
landline: +49 (4351) 486 14 27

GnuPG Fingerprint: 9BFB AEE8 6C0A A5FF BF22  0782 9AF4 6B30 2577 1B31
mail: sunweaver@debian.org, http://sunweavers.net

Attachment: pgp6J2WklnyYJ.pgp
Description: Digitale PGP-Signatur


Reply to: