[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#958850: stretch-pu: package gosa/2.7.4+reloaded2-13+deb9u3

Control: tag -1 moreinfo

Hi Mike,

On Sat, Apr 25, 2020 at 09:57:01PM +0200, Mike Gabriel wrote:
> Package: release.debian.org
> Severity: normal
> Tags: stretch
> User: release.debian.org@packages.debian.org
> Usertags: pu
> 
> Dear release team,
> 
> this is a follow-up for #927433 (about +deb9u2).
> 
> +  * debian/patches/1047_CVE-2019-14466-1_replace_unserialize_with_json_
> +    encode+json_decode.patch:
> +    + Replace (un)serialize with json_encode/json_decode to mitigate PHP object
> +      injection (CVE-2019-14466).
> 
> Since I last uploaded the stretch-pu of gosa, one more CVE issue got
> known and already addressed in the Git branch.
> 
> I will follow-up with a +deb9u3 upload on the +deb9u2 upload. Luckily,
> this one is not as massive as the +deb9u2 one.
> 
Which package versions fix this for buster and sid?

Cheers,
Julien
Reply to: