[pkg-php-pear] Bug#1034714: bullseye-pu: package php-nyholm-psr7/1.3.2-2+deb11u1
David Prévot
taffit at debian.org
Sat Apr 22 11:59:13 BST 2023
Package: release.debian.org
Severity: normal
Tags: bullseye
User: release.debian.org at packages.debian.org
Usertags: pu
X-Debbugs-Cc: php-nyholm-psr7 at packages.debian.org, team at security.debian.org
Control: affects -1 + src:php-nyholm-psr7
Hi,
Please note that this request is very similar to #1034713 for
php-guzzlehttp-psr7/1.7.0-1+deb11u2 (even the CVE ID is the same).
[ Reason ]
I’d like to fix an improper input validation [CVE-2023-29197]
filed as #1034597. The security team reviewed this bug filed
with a non-RC severity, so I assume they don’t expect to release
a DSA for it (as for the other php-guzzlehttp-psr7 issue),
anyway the team is X-D-Cc.
[ Impact ]
It’a security flaw.
[ Tests ]
The (extended for this fix) upstream testsuite is run at build
time and debci.
[ Risks ]
The code change is fairly trivial, and was adapted from
upstream (I used the exact same patch as the one targetted for
Bookworm).
[ Checklist ]
[x] *all* changes are documented in the d/changelog
[x] I reviewed all changes and I approve them
[x] attach debdiff against the package in stable
[x] the issue is verified as fixed in unstable
[ Changes ]
It’s just a stricter validation regex.
[ Other info ]
Thanks a lot for your work!
Cheers
taffit
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 488 bytes
Desc: not available
URL: <http://alioth-lists.debian.net/pipermail/pkg-php-pear/attachments/20230422/9d3eaf06/attachment.sig>
More information about the pkg-php-pear
mailing list