[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#1038154: marked as done (bookworm-pu: package spip/4.1.9+dfsg-1+deb12u1)

Your message dated Sat, 22 Jul 2023 13:19:41 +0000
with message-id <E1qNCWL-005roP-6s@coccia.debian.org>
and subject line Released with 12.1
has caused the Debian Bug report #1038154,
regarding bookworm-pu: package spip/4.1.9+dfsg-1+deb12u1
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
1038154: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1038154
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems
--- Begin Message --- 
Package: release.debian.org
Severity: normal
Tags: bookworm
User: release.debian.org@packages.debian.org
Usertags: pu
X-Debbugs-Cc: spip@packages.debian.org
Control: affects -1 + src:spip

[ Request similar to #1038153 for Bullseye ]

Hi,

Congrats to the team for the Bookworm release!

SPIP has been updated upstream to fix some security issues (link to the
French-only announcement follows), and we agreed with the security team
that they don’t warrant a DSA this time.

https://blog.spip.net/Mise-a-jour-de-maintenance-et-securite-sortie-de-SPIP-4-2-3-SPIP-4-1-10.html

The main backported fix is the one that limits recursion depth in
protege_champ() function.

The security screen fix (avoiding unserialize use) should already be
fixed in the main code, and the htaccess change is only provided as an
example (in /usr/share/doc/spip).

This version also ships a compatibility fix for PHP 8.1 in the
mutualisation plugin shipped in the Debian package, and some metadata
changes (d/{changelog,control,gbp.conf}).

As an alternative, a 4.1.10+dfsg-1~deb12u1 version could be proposed.

[ Checklist ]
  [x] *all* changes are documented in the d/changelog
  [x] I reviewed all changes and I approve them
  [x] attach debdiff against the package in (old)stable
  [x] the issue is verified as fixed in unstable

diff -Nru spip-4.1.9+dfsg/debian/changelog spip-4.1.9+dfsg/debian/changelog
--- spip-4.1.9+dfsg/debian/changelog	2023-02-28 21:25:27.000000000 +0100
+++ spip-4.1.9+dfsg/debian/changelog	2023-06-11 15:38:54.000000000 +0200
@@ -1,3 +1,19 @@
+spip (4.1.9+dfsg-1+deb12u1) bookworm; urgency=medium
+
+  [ David Prévot ]
+  * Add CVE to previous changelog entry
+  * Update documented branch
+  * Backport security fixes from 4.1.10
+    - Limit recursion depth in protege_champ() function
+    - Avoid unserialize use in security screen
+    - Properly block hidden files in provided htaccess
+    - Update security screen to 1.5.3
+
+  [ RealET ]
+  * mutualisation: PHP 8.1 compatibility fixes #2
+
+ -- David Prévot <taffit@debian.org>  Sun, 11 Jun 2023 15:38:54 +0200
+
 spip (4.1.9+dfsg-1) unstable; urgency=medium
 
   [ Cerdic ]
@@ -15,7 +31,7 @@
   * build: Version SPIP 4.1.8
 
   [ Cerdic ]
-  * Fix: Sanitizer toutes les valeurs passées aux formulaires
+  * Fix: Sanitizer toutes les valeurs passées aux formulaires [CVE-2023-27372]
   * fix: Sanitizer toutes les valeurs passées aux formulaires preventivement
     dans l'écran de sécurité
 
diff -Nru spip-4.1.9+dfsg/debian/control spip-4.1.9+dfsg/debian/control
--- spip-4.1.9+dfsg/debian/control	2023-02-28 19:47:19.000000000 +0100
+++ spip-4.1.9+dfsg/debian/control	2023-06-11 15:37:44.000000000 +0200
@@ -5,7 +5,7 @@
 Build-Depends: cssmin, debhelper-compat (= 13), dh-apache2, minify
 Homepage: https://www.spip.net/
 Standards-Version: 4.6.2
-Vcs-Git: https://salsa.debian.org/debian/spip.git -b debian/latest
+Vcs-Git: https://salsa.debian.org/debian/spip.git -b debian/bookworm-security
 Vcs-Browser: https://salsa.debian.org/debian/spip
 Rules-Requires-Root: no
 
diff -Nru spip-4.1.9+dfsg/debian/gbp.conf spip-4.1.9+dfsg/debian/gbp.conf
--- spip-4.1.9+dfsg/debian/gbp.conf	2023-02-28 19:47:26.000000000 +0100
+++ spip-4.1.9+dfsg/debian/gbp.conf	2023-06-11 15:37:44.000000000 +0200
@@ -1,5 +1,5 @@
 [DEFAULT]
-debian-branch = debian/bookworm
+debian-branch = debian/bookworm-security
 pristine-tar = True
 upstream-branch = upstream-4.1
 upstream-vcs-tag = v%(version%~%-)s
diff -Nru spip-4.1.9+dfsg/debian/mutualisation/exec/mutualisation.php spip-4.1.9+dfsg/debian/mutualisation/exec/mutualisation.php
--- spip-4.1.9+dfsg/debian/mutualisation/exec/mutualisation.php	2022-06-17 19:32:19.000000000 +0200
+++ spip-4.1.9+dfsg/debian/mutualisation/exec/mutualisation.php	2023-06-11 15:37:21.000000000 +0200
@@ -34,10 +34,6 @@
 	$url_admin_plugin = 'ecrire/?exec=admin_plugin';
 	$url_admin_vider = 'ecrire/?exec=admin_vider';
 
-	if (!file_exists(_DIR_IMG . 'mutualiser-128.png')) {
-		@copy(find_in_path('mutualiser-128.png'), _DIR_IMG . 'mutualiser-128.png');
-	}
-
 	$titre = _L(count($sites) . ' ' . 'sites mutualis&#233;s <em>(' . _T('version') . ' ' . $GLOBALS['spip_version_base'] . ')</em>');
 
 	//$page .= "<div id='trace'></div>" ;
@@ -151,9 +147,9 @@
 			if ($compression == '') {
 				$compression = _L('Activer');
 			}
+			$configsparticulieres = '';
 			if (isset($GLOBALS['mutualisation_afficher_config'])) {
 				$configs = explode(",", $GLOBALS['mutualisation_afficher_config']);
-				$configsparticulieres = '';
 				foreach ($configs as $config) {
 
 					$configsparticulieres .= '<em><small>' . $config . ':</small></em> ' . lire_config_distante($config, $meta) . "<br />\n";
@@ -226,17 +222,17 @@
 				. "\n"
 				. '</tr>'
 				. "\n";
-			if ($_GET['tri'] AND isset($plnum[intval(count($c))])) {
+			if (!empty($_GET['tri']) AND isset($plnum[intval(count($c))])) {
 				$plnum[intval(count($c))] .= $ligne;
 			} else {
-				if ($_GET['tri']) {
+				if (!empty($_GET['tri'])) {
 					$plnum[intval(count($c))] = $ligne;
 				} else {
 					$plnum[] = $ligne;
 				}
 			}
 		}
-		if ($_GET['tri']) {
+		if (!empty($_GET['tri'])) {
 			krsort($plnum);
 		}
 		$page .= implode('', $plnum);
@@ -398,9 +394,9 @@
 	$debug_toolbar .= "<div class='toolbar-icon'><i class='icon-time'></i> <span>" . $page_load_time . " s</span></div>\n";
 	$debug_toolbar .= "<div class='toolbar-info'>";
 	$debug_toolbar .= "<div class='toolbar-info-element'><b>Début du script</b> <span>" . date('H:i:s',
-			$timestart) . "</span></div>\n";
+			(int) $timestart) . "</span></div>\n";
 	$debug_toolbar .= "<div class='toolbar-info-element'><b>Fin du script</b> <span>" . date('H:i:s',
-			$timeend) . "</span></div>\n";
+			(int) $timeend) . "</span></div>\n";
 	$debug_toolbar .= "<div class='toolbar-info-element'><b>Temps d'exécution</b> <span>" . $page_load_time . " s</span></div>\n";
 	$debug_toolbar .= "</div></div>\n";
 
@@ -590,7 +586,7 @@
 	return false;
 }
 
-function lire_config_distante($cfg = '', $meta) {
+function lire_config_distante($cfg = '', $meta = '') {
 	$def = null;
 	$unserialize = true;
 	// lire le stockage sous la forme valeur
@@ -611,8 +607,8 @@
 		return $r;
 	} else {
 		$cfg = explode('/', $cfg);
-		$r = @unserialize($meta[$cfg[0]]);
-		$r = $r[$cfg[1]];
+		$r = unserialize($meta[$cfg[0]] ?? '');
+		$r = $r[$cfg[1]] ?? '';
 
 		return $r;
 	}
diff -Nru spip-4.1.9+dfsg/debian/mutualisation/paquet.xml spip-4.1.9+dfsg/debian/mutualisation/paquet.xml
--- spip-4.1.9+dfsg/debian/mutualisation/paquet.xml	2022-06-17 19:32:19.000000000 +0200
+++ spip-4.1.9+dfsg/debian/mutualisation/paquet.xml	2023-06-11 15:37:21.000000000 +0200
@@ -1,24 +1,24 @@
-<paquet
-	prefix="Mutualisation"
-	categorie="maintenance"
-	version="1.4.10"
-	etat="stable"
-	compatibilite="[3.0.0;4.1.*]"
-	logo="mutualiser-128.png"
-	documentation="https://contrib.spip.net/La-mutualisation-facile-modifications-manuelles";
->
-
-	<nom>Mutualisation facile</nom>
-	<!-- Créer une ferme à Spip -->
-
-	<auteur>Fil</auteur>
-	<auteur>Teddy</auteur>
-
-	<copyright>2007-2018</copyright>
-
-	<licence lien="http://www.gnu.org/licenses/lgpl-3.0.html";>LGPL 3</licence>
-	<licence lien="http://www.gnu.org/licenses/gpl-3.0.html";>GPL 3 (2013)</licence>
-	<licence lien="http://www.wtfpl.net/about/";>WTFPL 2 (2013)</licence>
-
-	<chemin path="" type="aucun" />
-</paquet>
+<paquet
+	prefix="Mutualisation"
+	categorie="maintenance"
+	version="1.4.11"
+	etat="stable"
+	compatibilite="[3.0.0;4.1.*]"
+	logo="mutualiser-128.png"
+	documentation="https://contrib.spip.net/La-mutualisation-facile-modifications-manuelles";
+>
+
+	<nom>Mutualisation facile</nom>
+	<!-- Créer une ferme à Spip -->
+
+	<auteur>Fil</auteur>
+	<auteur>Teddy</auteur>
+
+	<copyright>2007-2018</copyright>
+
+	<licence lien="http://www.gnu.org/licenses/lgpl-3.0.html";>LGPL 3</licence>
+	<licence lien="http://www.gnu.org/licenses/gpl-3.0.html";>GPL 3 (2013)</licence>
+	<licence lien="http://www.wtfpl.net/about/";>WTFPL 2 (2013)</licence>
+
+	<chemin path="" type="aucun" />
+</paquet>
diff -Nru spip-4.1.9+dfsg/debian/patches/0005-security-limiter-la-profondeur-de-recursion-de-prote.patch spip-4.1.9+dfsg/debian/patches/0005-security-limiter-la-profondeur-de-recursion-de-prote.patch
--- spip-4.1.9+dfsg/debian/patches/0005-security-limiter-la-profondeur-de-recursion-de-prote.patch	1970-01-01 01:00:00.000000000 +0100
+++ spip-4.1.9+dfsg/debian/patches/0005-security-limiter-la-profondeur-de-recursion-de-prote.patch	2023-06-11 15:37:44.000000000 +0200
@@ -0,0 +1,37 @@
+From: Cerdic <cedric@yterium.com>
+Date: Tue, 7 Mar 2023 14:56:30 +0100
+Subject: security: limiter la profondeur de recursion de `protege_champ`
+
+(cherry picked from commit b362e987b41fac344150f97cc563bf4d8c8181fa)
+
+Origin: upstream, https://git.spip.net/spip/spip/commit/9b73dbd66e50baf312ba1c7df21efebba4ae08f1
+---
+ ecrire/balise/formulaire_.php | 14 ++++++++++++--
+ 1 file changed, 12 insertions(+), 2 deletions(-)
+
+diff --git a/ecrire/balise/formulaire_.php b/ecrire/balise/formulaire_.php
+index 71672cf..22d642b 100644
+--- a/ecrire/balise/formulaire_.php
++++ b/ecrire/balise/formulaire_.php
+@@ -34,9 +34,19 @@ include_spip('inc/texte');
+  * @return string|array|null
+  *     Saisie protégée
+  **/
+-function protege_champ($texte) {
++function protege_champ($texte, $max_prof = 128) {
+ 	if (is_array($texte)) {
+-		return array_map('protege_champ', $texte);
++		// si on dépasse la prof max on tronque
++		if ($max_prof > 0) {
++			return array_map(
++				function($v) use ($max_prof) {
++					return protege_champ($v, $max_prof-1);
++				},
++				$texte
++			);
++		}
++		// si on dépasse la prof max on tronque
++		return [];
+ 	} elseif ($texte === null) {
+ 		return $texte;
+ 	} elseif (is_bool($texte)) {
diff -Nru spip-4.1.9+dfsg/debian/patches/0006-security-Ameliorer-c76770a-en-vitant-un-unserialize-.patch spip-4.1.9+dfsg/debian/patches/0006-security-Ameliorer-c76770a-en-vitant-un-unserialize-.patch
--- spip-4.1.9+dfsg/debian/patches/0006-security-Ameliorer-c76770a-en-vitant-un-unserialize-.patch	1970-01-01 01:00:00.000000000 +0100
+++ spip-4.1.9+dfsg/debian/patches/0006-security-Ameliorer-c76770a-en-vitant-un-unserialize-.patch	2023-06-11 15:37:44.000000000 +0200
@@ -0,0 +1,64 @@
+From: Cerdic <cedric@yterium.com>
+Date: Tue, 7 Mar 2023 15:03:08 +0100
+Subject: =?utf-8?q?security=3A_Ameliorer_c76770a_en_=C3=A9vitant_un_=60unse?=
+ =?utf-8?q?rialize=60_dans_l=27=C3=A9cran_de_s=C3=A9curit=C3=A9?=
+
+(cherry picked from commit 9b1c3cf455b624163546f1521148897a5c96d5d6)
+
+Origin: upstream, https://git.spip.net/spip/spip/commit/9f55790164f7869d2e315a49b3fdc4af0c5b8fdd
+---
+ config/ecran_securite.php | 36 ++++++++++++++++++++++++++++++------
+ 1 file changed, 30 insertions(+), 6 deletions(-)
+
+diff --git a/config/ecran_securite.php b/config/ecran_securite.php
+index 4ff6917..7a4e153 100644
+--- a/config/ecran_securite.php
++++ b/config/ecran_securite.php
+@@ -654,17 +654,41 @@ if (
+ ) {
+ 	foreach ($_REQUEST as $k => $v) {
+ 		if (is_string($v)
+-		  and strpos($v, ':') !== false
+-		  and strpos($v, '"') !==false
+-		  and preg_match(',[bidsaO]:,', $v)
+-		  and @unserialize($v)) {
+-			$_REQUEST[$k] = htmlentities($v);
++		  and strpbrk($v, "&\"'<>") !== false
++		  and preg_match(',^[abis]:\d+[:;],', $v)
++		  and __ecran_test_if_serialized($v)
++		) {
++			$_REQUEST[$k] = htmlspecialchars($v, ENT_QUOTES);
+ 			if (isset($_POST[$k])) $_POST[$k] = $_REQUEST[$k];
+ 			if (isset($_GET[$k])) $_GET[$k] = $_REQUEST[$k];
+ 		}
+ 	}
+ }
+-
++/**
++ * Version simplifiée de https://developer.wordpress.org/reference/functions/is_serialized/
++ */
++function __ecran_test_if_serialized($data) {
++	$data = trim($data);
++	if ('N;' === $data) {return true;}
++	if (strlen($data) < 4) {return false;}
++	if (':' !== $data[1]) {return false;}
++	$semicolon = strpos($data, ';');
++	$brace = strpos($data, '}');
++	// Either ; or } must exist.
++	if (false === $semicolon && false === $brace) {return false;}
++	// But neither must be in the first X characters.
++	if (false !== $semicolon && $semicolon < 3) {return false;}
++	if (false !== $brace && $brace < 4) {return false;}
++	$token = $data[0];
++	if (in_array($token, array('s', 'S'))) {
++		if (false === strpos($data, '"')) {return false;}
++	} elseif (in_array($token, array('a', 'O', 'C', 'o', 'E'))) {
++		return (bool)preg_match("/^{$token}:[0-9]+:/s", $data);
++	} elseif (in_array($token, array('b', 'i', 'd'))) {
++		return (bool)preg_match("/^{$token}:[0-9.E+-]+;/", $data);
++	}
++	return false;
++}
+ 
+ /*
+  * S'il y a une raison de mourir, mourons
diff -Nru spip-4.1.9+dfsg/debian/patches/0007-security-Effectivement-bloquer-les-fichiers-cach-s-d.patch spip-4.1.9+dfsg/debian/patches/0007-security-Effectivement-bloquer-les-fichiers-cach-s-d.patch
--- spip-4.1.9+dfsg/debian/patches/0007-security-Effectivement-bloquer-les-fichiers-cach-s-d.patch	1970-01-01 01:00:00.000000000 +0100
+++ spip-4.1.9+dfsg/debian/patches/0007-security-Effectivement-bloquer-les-fichiers-cach-s-d.patch	2023-06-11 15:37:44.000000000 +0200
@@ -0,0 +1,75 @@
+From: Matthieu Marcillaud <marcimat@rezo.net>
+Date: Wed, 7 Jun 2023 09:40:00 +0200
+Subject: =?utf-8?q?security=3A_Effectivement_bloquer_les_fichiers_cach?=
+ =?utf-8?q?=C3=A9s_dans_le_htaccess?=
+MIME-Version: 1.0
+Content-Type: text/plain; charset="utf-8"
+Content-Transfer-Encoding: 8bit
+
+L’histoire est quelque peu ubuesque, et remonte à il y a 16 ans via 26a1f4906d23
+qui a déplacé des règles trop bas. Ça ne bloquait plus les .svn depuis,
+à cause du fait que plus haut, si c’est un fichier, on exécute la règle
+`[S=100]` qui saute les prochaines `RewriteRule`.
+
+- #5109 a semblé corriger en utilisant `RedirectMatch`, qui n’est pas affecté
+  par le Skip (sans se rendre compte du problème initial)
+- #5432 a remis une `RewriteRule`, et du coup, de nouveau paf.
+
+Ce n’est pas toujours très visible car les serveurs eux-mêmes bloquent
+déjà souvent ces répertoires cachés.
+
+Donc, on remonte bien plus haut les règles de blocage des fichiers cachés
+et on leur fait un titre dédié.
+
+Refs: #5109 #5432 spip-team/securite#4844
+(cherry picked from commit d50cb7bbc7a71ff23a77dfe02215c16991437336)
+
+Origin: upstream, https://git.spip.net/spip/spip/commit/36ec7947e96e44af095c3cf87f25cf27a963fe40
+---
+ htaccess.txt | 18 ++++++++++--------
+ 1 file changed, 10 insertions(+), 8 deletions(-)
+
+diff --git a/htaccess.txt b/htaccess.txt
+index 3154787..667cfc6 100644
+--- a/htaccess.txt
++++ b/htaccess.txt
+@@ -37,9 +37,15 @@ RewriteRule ^(.*) - [E=BASE:%1]
+ 
+ 
+ 
+-
+-################ GESTIONS DES URLS SPIP #######################
++############# GESTIONS DES ACCES FICHIERS #####################
+ ###
++
++# bloquer les acces aux fichiers caches (.svn, .git, etc)
++RewriteCond %{REQUEST_URI} !^/.well-known/
++RewriteRule "(^|/)\." - [R=404,NC,L]
++# bloquer les informations Composer
++RedirectMatch 404 ^/composer\.(json|lock|phar)$
++
+ # Si le fichier ou repertoire demande existe
+ # ignorer toutes les regles qui suivent
+ <IfModule mod_headers.c>
+@@ -56,6 +62,8 @@ RewriteRule "." - [skip=100]
+ #
+ ###
+ 
++################ GESTIONS DES URLS SPIP #######################
++###
+ 
+ ###
+ # Compatibilite avec les URLS "html" (pour transition sympa)
+@@ -100,12 +108,6 @@ RewriteRule ^[^\.]+(\.html)?$		spip.php [QSA,E=url_propre:$0,L]
+ ###
+ # Divers
+ 
+-# bloquer les acces aux fichiers caches (.svn, .git, etc)
+-RewriteCond %{REQUEST_URI} !^/.well-known/
+-RewriteRule "(^|/)\." - [R=404,NC,L]
+-# bloquer les informations Composer
+-RedirectMatch 404 ^/composer\.(json|lock|phar)$
+-
+ ###
+ # Fichiers "standards" (si absents de la racine)
+ #
diff -Nru spip-4.1.9+dfsg/debian/patches/0008-build-Up-cran-de-s-cu-en-1.5.3.patch spip-4.1.9+dfsg/debian/patches/0008-build-Up-cran-de-s-cu-en-1.5.3.patch
--- spip-4.1.9+dfsg/debian/patches/0008-build-Up-cran-de-s-cu-en-1.5.3.patch	1970-01-01 01:00:00.000000000 +0100
+++ spip-4.1.9+dfsg/debian/patches/0008-build-Up-cran-de-s-cu-en-1.5.3.patch	2023-06-11 15:37:44.000000000 +0200
@@ -0,0 +1,51 @@
+From: Matthieu Marcillaud <marcimat@rezo.net>
+Date: Wed, 7 Jun 2023 12:12:57 +0200
+Subject: =?utf-8?q?build=3A_Up_=C3=A9cran_de_s=C3=A9cu_en_1=2E5=2E3?=
+
+Origin: upstream, https://git.spip.net/spip/spip/commit/536192d895c051b0859374710fbdd5bf15205e3f
+---
+ config/ecran_securite.php | 10 +++++-----
+ 1 file changed, 5 insertions(+), 5 deletions(-)
+
+diff --git a/config/ecran_securite.php b/config/ecran_securite.php
+index 7a4e153..53581fc 100644
+--- a/config/ecran_securite.php
++++ b/config/ecran_securite.php
+@@ -5,7 +5,7 @@
+  * ------------------
+  */
+ 
+-define('_ECRAN_SECURITE', '1.5.0'); // 2023-02-27
++define('_ECRAN_SECURITE', '1.5.3'); // 2023-05-31
+ 
+ /*
+  * Documentation : https://www.spip.net/fr_article4200.html
+@@ -650,7 +650,7 @@ if (
+ }
+ 
+ if (
+-	isset($_REQUEST['formulaire_action_args'])
++	isset($_REQUEST['formulaire_action_args']) || isset($_REQUEST['var_login'])
+ ) {
+ 	foreach ($_REQUEST as $k => $v) {
+ 		if (is_string($v)
+@@ -680,9 +680,8 @@ function __ecran_test_if_serialized($data) {
+ 	if (false !== $semicolon && $semicolon < 3) {return false;}
+ 	if (false !== $brace && $brace < 4) {return false;}
+ 	$token = $data[0];
+-	if (in_array($token, array('s', 'S'))) {
+-		if (false === strpos($data, '"')) {return false;}
+-	} elseif (in_array($token, array('a', 'O', 'C', 'o', 'E'))) {
++    if (in_array($token, array('s', 'S', 'a', 'O', 'C', 'o', 'E'))) {
++		if (in_array($token, array('s', 'S')) and false === strpos($data, '"')) {return false;}
+ 		return (bool)preg_match("/^{$token}:[0-9]+:/s", $data);
+ 	} elseif (in_array($token, array('b', 'i', 'd'))) {
+ 		return (bool)preg_match("/^{$token}:[0-9.E+-]+;/", $data);
+@@ -690,6 +689,7 @@ function __ecran_test_if_serialized($data) {
+ 	return false;
+ }
+ 
++
+ /*
+  * S'il y a une raison de mourir, mourons
+  */
diff -Nru spip-4.1.9+dfsg/debian/patches/series spip-4.1.9+dfsg/debian/patches/series
--- spip-4.1.9+dfsg/debian/patches/series	2023-02-28 21:19:02.000000000 +0100
+++ spip-4.1.9+dfsg/debian/patches/series	2023-06-11 15:37:44.000000000 +0200
@@ -2,3 +2,7 @@
 0002-No-next-upstream-version-display-in-private-area.patch
 0003-Fix-displayed-version-in-the-private-interface.patch
 0004-Use-getid3-class-from-the-php-getid3-package.patch
+0005-security-limiter-la-profondeur-de-recursion-de-prote.patch
+0006-security-Ameliorer-c76770a-en-vitant-un-unserialize-.patch
+0007-security-Effectivement-bloquer-les-fichiers-cach-s-d.patch
+0008-build-Up-cran-de-s-cu-en-1.5.3.patch

Attachment: signature.asc
Description: PGP signature


--- End Message ---
--- Begin Message --- 
Version: 12.1

The upload requested in this bug has been released as part of 12.1.

--- End Message ---
Reply to: