[pkg-php-pear] Fixing the Debian-specific issue found in CVE-2024-24821

David Prévot david at tilapin.org
Sat Mar 9 09:43:23 GMT 2024


Hi,

Le 07/03/2024 à 16:45, David Prévot a écrit :
[…]
> I’ve been fixing some packages in unstable for and since DSA-5632-1,
> and reached around 70 packages updated already, but there are more

I’ve just finished going thru the whole list of team maintained packages 
[DDPO]. It needed about a hundred upload that I managed to finish during 
the MiniDebConf Hamburg [MDCH] (thanks to the organizers and my boss who 
permitted me to be there).

DDPO: 
https://qa.debian.org/developer.php?email=pkg-php-pear%40lists.alioth.debian.org
MDCH: https://wiki.debian.org/DebianEvents/de/2024/MiniDebCampHamburg

I intend to have a look at packages out of the team scope 
build-depending on pkg-php-tools and other suspects, but I may miss 
some. Help welcome to try and detect unsafe {require,include}{,_once} 
that are loading 'path/to/file' (instead of '/full/path/to/file' or 
__DIR__.'/anchored/path/to/file') in the Debian archive.

Having a full grasp of the amount of packages needing a fix would also 
be welcome for stable (Bookworm) and even oldstable (Bullseye). Not sure 
we want to fix everything, but it’s probably a first step before 
discussing it with the security team.

By the way, there is another European Debian event happening soon 
(mid-May) in Berlin [MDCB]. It would be nice if some of you manage to 
attend so we can have an IRL team meeting/hacking during the week…

MDCB: https://wiki.debian.org/DebianEvents/de/2024/MiniDebconfBerlin

Regards

taffit
-------------- next part --------------
A non-text attachment was scrubbed...
Name: OpenPGP_signature.asc
Type: application/pgp-signature
Size: 495 bytes
Desc: OpenPGP digital signature
URL: <http://alioth-lists.debian.net/pipermail/pkg-php-pear/attachments/20240309/9d989121/attachment-0001.sig>


More information about the pkg-php-pear mailing list