Am Wed, Mar 06, 2024 at 06:39:01AM -0300 schrieb Leandro Cunha:
> Hi Christoph Berg,
>
> On Wed, Mar 6, 2024 at 5:42 AM Christoph Berg <m...@debian.org> wrote:
> >
> > Re: Leandro Cunha
> > > The
> > > next job would be to make it available through backports and I would
> > > choose to remove this package from stable. But I would only leave
> > > bookworm backports due to other bugs found (this CVEs too) and fixed
> > > in 7.14.7.
> > > I have to search about the status of backports to oldstable. But I'm
> > > also studying the possibility of working with patches for these two
> > > versions.
> >
> > Why would you want to remove it from stable? In closed environments,
> > CVEs are often not a problem.
> >
> > Christoph
>
> In addition to the CVEs, phppgadmin which is present in stable does
> not connect to PostgreSQL 15 and 16 without a patch I inserted in
> 7.13.0+dfsg-3, but I can add the same patch by reopening bug #1029516
> or opening another important bug (I am aware that the bug must have a
> severity greater than important)[3] for the stable and submission of
> new bug to the release team for approval. That way it would be
> released in a future release a version with this issue fixed (if
> approved). But CVE-2023-40619 is treated with critical severity and
> CVE-2019-10784 is also critical according to the NVD[1][2]. The Debian
> LTS team handled this with DLA-3644-1 (CVE-2023-40619)[4] in buster
> (oldoldstable) and of OpenSUSE team also handled both CVEs in
> Leap[5][6].
> Removing this package in stable will not leave users without them and
> we can release it in backports.
> I can treat this as a job of ensuring the quality of what is
> distributed by Debian.
Agreed, if the package is actually broken with the version of PostgreSQL
in stable and if there's no sensible backport for the open security issues,
then let's rather remove it by the next point release.
Cheers,
Moritz
