Bug#1037444: bookworm-pu: package kanboard/1.2.26+ds-4
Hi Joseph,
[disclaimer, not a release team member but I believe can give input on
the debdiff below]
On Mon, Jun 12, 2023 at 08:19:55PM -0400, Joseph Nahmias wrote:
> Package: release.debian.org
> Severity: normal
> Tags: bookworm
> User: release.debian.org@packages.debian.org
> Usertags: pu
> X-Debbugs-Cc: kanboard@packages.debian.org, joe@nahmias.net
> Control: affects -1 + src:kanboard
>
> [ Reason ]
> Security updates for kanboard since v1.2.26.
>
> [ Tests ]
> upstream's unit test suite are run at build time and via autopkgtest.
> there are also some other (superficial) autopkgtests.
>
> [ Risks ]
> All listed CVEs have targeted fixes picked from upstream github.
>
> [ Checklist ]
> [X] *all* changes are documented in the d/changelog
> [X] I reviewed all changes and I approve them
> [X] attach debdiff against the package in (old)stable
> [X] the issue is verified as fixed in unstable
>
> [ Other info ]
>
> My first stable update, so please advise if I missed anything.
> --Joe
> diff -Nru kanboard-1.2.26+ds/debian/changelog kanboard-1.2.26+ds/debian/changelog
> --- kanboard-1.2.26+ds/debian/changelog 2023-05-16 22:49:38.000000000 -0400
> +++ kanboard-1.2.26+ds/debian/changelog 2023-06-07 20:45:40.000000000 -0400
> @@ -1,3 +1,24 @@
> +kanboard (1.2.26+ds-4) unstable; urgency=medium
> +
> + * backport security fixes from kanboard v1.2.30
> + > CVE-2023-33956: Parameter based Indirect Object Referencing leading
> + to private file exposure
> + > CVE-2023-33968: Missing access control allows user to move and
> + duplicate tasks to any project in the software
> + > CVE-2023-33969: Stored XSS in the Task External Link Functionality
> + > CVE-2023-33970: Missing access control in internal task links feature
> + (Closes: #1037167)
> +
> + -- Joseph Nahmias <jello@debian.org> Wed, 07 Jun 2023 20:45:40 -0400
> +
> +kanboard (1.2.26+ds-3) unstable; urgency=medium
> +
> + * backport fix for CVE-2023-32685 from kanboard v1.2.29
> + https://github.com/kanboard/kanboard/security/advisories/GHSA-hjmw-gm82-r4gv
> + Based on upstream commits 26b6eeb & c9c1872. (Closes: #1036874)
> +
> + -- Joseph Nahmias <jello@debian.org> Sun, 28 May 2023 21:42:46 -0400
This seems to be the current debdiff between bookworm and the unstable
version. But now that bookworm is releases, a package does nto migrate
anymore from there to stable. What is needed above is to apply the
needed patches on top of the 1.2.26+ds-2 versiion in testing and
version it such that it is 1.2.26+ds-2+deb12u1.
The developers-reference has some additional hints:
https://www.debian.org/doc/manuals/developers-reference/pkgs.en.html#special-case-uploads-to-the-stable-and-oldstable-distributions
Hope this helps,
Regards,
Salvatore
Reply to: