Hi Julien, Am Sonntag, 26. April 2020 schrieb Julien Cristau: > Control: tag -1 moreinfo > > Hi Mike, > > On Sat, Apr 25, 2020 at 09:57:01PM +0200, Mike Gabriel wrote: > > Package: release.debian.org > > Severity: normal > > Tags: stretch > > User: release.debian....@packages.debian.org > > Usertags: pu > > > > Dear release team, > > > > this is a follow-up for #927433 (about +deb9u2). > > > > + * debian/patches/1047_CVE-2019-14466-1_replace_unserialize_with_json_ > > + encode+json_decode.patch: > > + + Replace (un)serialize with json_encode/json_decode to mitigate PHP > > object > > + injection (CVE-2019-14466). > > > > Since I last uploaded the stretch-pu of gosa, one more CVE issue got > > known and already addressed in the Git branch. > > > > I will follow-up with a +deb9u3 upload on the +deb9u2 upload. Luckily, > > this one is not as massive as the +deb9u2 one. > > > Which package versions fix this for buster and sid? > > Cheers, > Julien
see... https://security-tracker.debian.org/tracker/CVE-2019-14466 in fact, CVE-2019-14466 has not been fixed in buster, yet. I thought I had, obviously had not. I can prepare an upload for that tomorrow. The gosa in sid, regarding CVE-2019-14466, got fixed in 2.7.4+reloaded3-10. Greets, Mike -- Gesendet von meinem Sailfish Gerät
