[Pkg-nagios-devel] Bug#991116: Bug#991116: icingaweb2: CVE-2021-32746 CVE-2021-32747

Salvatore Bonaccorso carnil at debian.org
Wed Jul 14 20:50:42 BST 2021


Hi,

On Wed, Jul 14, 2021 at 09:18:24PM +0200, Sebastiaan Couwenberg wrote:
> Control: tags -1 pending
> 
> On 7/14/21 9:00 PM, Salvatore Bonaccorso wrote:
> > If you fix the vulnerabilities please also make sure to include the
> > CVE (Common Vulnerabilities & Exposures) ids in your changelog entry.
> 
> 2.9.0 would ideally have been uploaded (to experimental) which contains
> the fixes for these issues, but it requires a more recent version of
> icingaweb2-module-ipl (#991117). Those module packages are maintained
> outside the Nagios team which complicates issues.
> 
> 2.8.3 will be uploaded instead.

Thanks!

About the new upstream version, looks apart the two fixes there were
other changes done, so given we are very short before the full freeze
for bullseye it might be more suitable to just cherry-pick
https://github.com/Icinga/icingaweb2/commit/ffe8741c66af6ea085514a35ec878093b991875c
and
https://github.com/Icinga/icingaweb2/commit/80875d91bbfa52553fe7bb2c1a32a9814880d9c1
?

Can you please double-check with the release team for a pre-approval
of 2.8.3 otherwise?

Regards,
Salvatore



More information about the Pkg-nagios-devel mailing list