[pkg-php-pear] Fixing the Debian-specific issue found in CVE-2024-24821
David Prévot
david at tilapin.org
Sat Mar 9 09:43:23 GMT 2024
Hi,
Le 07/03/2024 à 16:45, David Prévot a écrit :
[…]
> I’ve been fixing some packages in unstable for and since DSA-5632-1,
> and reached around 70 packages updated already, but there are more
I’ve just finished going thru the whole list of team maintained packages
[DDPO]. It needed about a hundred upload that I managed to finish during
the MiniDebConf Hamburg [MDCH] (thanks to the organizers and my boss who
permitted me to be there).
DDPO:
https://qa.debian.org/developer.php?email=pkg-php-pear%40lists.alioth.debian.org
MDCH: https://wiki.debian.org/DebianEvents/de/2024/MiniDebCampHamburg
I intend to have a look at packages out of the team scope
build-depending on pkg-php-tools and other suspects, but I may miss
some. Help welcome to try and detect unsafe {require,include}{,_once}
that are loading 'path/to/file' (instead of '/full/path/to/file' or
__DIR__.'/anchored/path/to/file') in the Debian archive.
Having a full grasp of the amount of packages needing a fix would also
be welcome for stable (Bookworm) and even oldstable (Bullseye). Not sure
we want to fix everything, but it’s probably a first step before
discussing it with the security team.
By the way, there is another European Debian event happening soon
(mid-May) in Berlin [MDCB]. It would be nice if some of you manage to
attend so we can have an IRL team meeting/hacking during the week…
MDCB: https://wiki.debian.org/DebianEvents/de/2024/MiniDebconfBerlin
Regards
taffit
-------------- next part --------------
A non-text attachment was scrubbed...
Name: OpenPGP_signature.asc
Type: application/pgp-signature
Size: 495 bytes
Desc: OpenPGP digital signature
URL: <http://alioth-lists.debian.net/pipermail/pkg-php-pear/attachments/20240309/9d989121/attachment-0001.sig>
More information about the pkg-php-pear
mailing list