Bug#958850: stretch-pu: package gosa/2.7.4+reloaded2-13+deb9u3
Control: tag -1 moreinfo
Hi Mike,
On Sat, Apr 25, 2020 at 09:57:01PM +0200, Mike Gabriel wrote:
> Package: release.debian.org
> Severity: normal
> Tags: stretch
> User: release.debian.org@packages.debian.org
> Usertags: pu
>
> Dear release team,
>
> this is a follow-up for #927433 (about +deb9u2).
>
> + * debian/patches/1047_CVE-2019-14466-1_replace_unserialize_with_json_
> + encode+json_decode.patch:
> + + Replace (un)serialize with json_encode/json_decode to mitigate PHP object
> + injection (CVE-2019-14466).
>
> Since I last uploaded the stretch-pu of gosa, one more CVE issue got
> known and already addressed in the Git branch.
>
> I will follow-up with a +deb9u3 upload on the +deb9u2 upload. Luckily,
> this one is not as massive as the +deb9u2 one.
>
Which package versions fix this for buster and sid?
Cheers,
Julien
Reply to: