Control: tag -1 moreinfo Hi Mike,
On Sat, Apr 25, 2020 at 09:57:01PM +0200, Mike Gabriel wrote: > Package: release.debian.org > Severity: normal > Tags: stretch > User: [email protected] > Usertags: pu > > Dear release team, > > this is a follow-up for #927433 (about +deb9u2). > > + * debian/patches/1047_CVE-2019-14466-1_replace_unserialize_with_json_ > + encode+json_decode.patch: > + + Replace (un)serialize with json_encode/json_decode to mitigate PHP > object > + injection (CVE-2019-14466). > > Since I last uploaded the stretch-pu of gosa, one more CVE issue got > known and already addressed in the Git branch. > > I will follow-up with a +deb9u3 upload on the +deb9u2 upload. Luckily, > this one is not as massive as the +deb9u2 one. > Which package versions fix this for buster and sid? Cheers, Julien
