[Pkg-giraffe-discuss] koapno-webap and php-gettext: CVE-2016-6175
Jelle van der Waa
j.vanderwaa at kopano.com
Wed Jul 17 10:36:43 BST 2019
> Hello Jelle,
>
> I'm not sure if Kopano is aware of an problematic CVE for php-gettext.
> This package has a bug [1] within the Debian tracker with severity grave
> because of CVE-2016-6175.
> As visible this CVE is from 2016!! and got no attraction until now
> upstream in the php-gettext source. So php-gettext will get removed from
> testing on 06 August.
Hi,
It seems we have wrongly added php-gettext as a dependency for WebApp,
we only depend on the gettext C functions which are available via the
php-common package as shared library (gettext.so). I'm in the progress
of removing the dependency from our packages since we have a fallback
mechanism which makes us affected, but removing the php-gettext dependency
will resolve this, since the PHP gettext API is then used. [1]
[1] https://github.com/Kopano-dev/kopano-webapp/blob/master/server/includes/gettext.php#L6
Greetings,
Jelle
More information about the Pkg-giraffe-discuss
mailing list