Package: phpsysinfo Version: 3.2.5-3 Severity: important Dear Maintainer,
The version of phpSysInfo shipped in Debian is very old, and in turn bundles a very old version of jQuery (1.12.4). Rather than upgrade to a recent jQuery - which would allow for using libjs-jquery instead - upstream has decided to backport fixes for at least some of these CVEs, as seen in <https://github.com/phpsysinfo/phpsysinfo/commit/7fece46f79135d0a850fbda92c277684cd5596d4> and elsewhere. Please consider upgrading the package to the most recent upstream version so Debian users can benefit from these fixes and others. In lieu of that, please upgrade the bundled jQuery libs, which appear to have been quite heavily patched by upstream over the years. I'm also wondering whether the existing dependency on libjs-jquery is actually needed, as it does not seem to actually be used. Presumably a modern day jQuery version would not work with phpSysInfo if it needs such ancient versions, at least not without jQuery Migrate being involved, which is presumably an upstream job and outside the scope of package maintenance. Thanks. -- System Information: Debian Release: 10.13 APT prefers oldstable APT policy: (500, 'oldstable') Architecture: amd64 (x86_64) Kernel: Linux 5.10.0-0.deb10.16-amd64 (SMP w/8 CPU cores) Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE=en_US:en (charmap=UTF-8) Shell: /bin/sh linked to /usr/bin/bash Init: systemd (via /run/systemd/system) LSM: AppArmor: enabled Versions of packages phpsysinfo depends on: ii apache2 [httpd] 2.4.52-1~deb11u2 ii libjs-jquery 3.5.1+dfsg-4~bpo10+1 ii php 2:8.1+92+0~20220117.43+debian10~1.gbpe0d14e ii php-xml 2:8.1+92+0~20220117.43+debian10~1.gbpe0d14e ii php8.1 [php] 8.1.10-2+0~20220918.26+debian10~1.gbp595f64 ii php8.1-xml [php-xml] 8.1.10-2+0~20220918.26+debian10~1.gbp595f64 phpsysinfo recommends no packages. Versions of packages phpsysinfo suggests: ii hddtemp 0.3-beta15-53 ii lm-sensors 1:3.5.0-3 -- no debconf information
