Hi Tobi, On Sat, Apr 19, 2025 at 11:10:23AM +0000, Debian FTP Masters wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA512 > > Format: 1.8 > Date: Sat, 19 Apr 2025 12:40:39 +0200 > Source: zabbix > Architecture: source > Version: 1:5.0.46+dfsg-1+deb11u1 > Distribution: bullseye-security > Urgency: medium > Maintainer: Dmitry Smirnov <[email protected]> > Changed-By: Tobias Frost <[email protected]> > Changes: > zabbix (1:5.0.46+dfsg-1+deb11u1) bullseye-security; urgency=medium > . > * Non maintainer upload by the LTS team. > * Updating to latest upstream LTS release of the 5.0.x series. > - Refreshing patch java-gateway.patch > (upstream embedded libs changes versions, but we are using packaged > versions.) > - Refreshing patch CVE-2024-36461.patch and CVE-2024-42331.patch due to > upstream changes. > - Drop CVE-2024-42330.patch, has been included in new upstream release. > * New upstream LTS release adresses: > - CVE-2024-36469 - user enumeration via timing attack. > - CVE-2024-42325 - information disclosure. > * Backport upstream fixes: > - CVE-2024-45699 - Cross-site Scripting (XSS) > - CVE-2024-45700 - Denial of Service
I meant to write this already some uploads back, but then I forgot, taking now the opportunity while the upload is fresh :) As this is the import of a new upstream version on top of the packaging and not an incrmental patching on top of the already present 1:5.0.46+dfsg-1, please consider using as version either 1:5.0.46+dfsg-0+deb11u1 or 1:5.0.46+dfsg-1~deb11u1 (even if 1:5.0.46+dfsg-1 was never present in a upload). Similar cases covered by php, mariadb, firefox-esr, thunderbird, although there are some notable exceptions (for instance src:linux). HTH, Regards, Salvatore
