Hi, On Wed, Dec 25, 2024 at 09:49:36AM +0100, Roland Gruber wrote: > Hi, > > the source files for the 9.0 version that fixes the issue can be found here: > > https://www.ldap-account-manager.org/static/debian-packages/ > > Since this vulnerability is moderate and depends on a misconfiguration of > Apache or a different application I do not intend to provide a patch version > for Stable. In addition, the fix was done by replacing the config file > format (TXT to JSON) which is not a small topic to backport. > > If needed, 9.0 can be used as fix for Stable, it is compatible with this > release, too. > 9.0 can still read the old 8.x file format but changes are stored in new > format.
Thanks for the update. I think it would be good to make sure we get the change in trixie with the rebase to 9.0. FWIW, for bookworm we marked the issue no-dsa, but I guess we then can mark it as ignored. Regards, Salvatore
