Hi Joseph, [disclaimer, not a release team member but I believe can give input on the debdiff below]
On Mon, Jun 12, 2023 at 08:19:55PM -0400, Joseph Nahmias wrote: > Package: release.debian.org > Severity: normal > Tags: bookworm > User: release.debian....@packages.debian.org > Usertags: pu > X-Debbugs-Cc: kanbo...@packages.debian.org, j...@nahmias.net > Control: affects -1 + src:kanboard > > [ Reason ] > Security updates for kanboard since v1.2.26. > > [ Tests ] > upstream's unit test suite are run at build time and via autopkgtest. > there are also some other (superficial) autopkgtests. > > [ Risks ] > All listed CVEs have targeted fixes picked from upstream github. > > [ Checklist ] > [X] *all* changes are documented in the d/changelog > [X] I reviewed all changes and I approve them > [X] attach debdiff against the package in (old)stable > [X] the issue is verified as fixed in unstable > > [ Other info ] > > My first stable update, so please advise if I missed anything. > --Joe > diff -Nru kanboard-1.2.26+ds/debian/changelog > kanboard-1.2.26+ds/debian/changelog > --- kanboard-1.2.26+ds/debian/changelog 2023-05-16 22:49:38.000000000 > -0400 > +++ kanboard-1.2.26+ds/debian/changelog 2023-06-07 20:45:40.000000000 > -0400 > @@ -1,3 +1,24 @@ > +kanboard (1.2.26+ds-4) unstable; urgency=medium > + > + * backport security fixes from kanboard v1.2.30 > + > CVE-2023-33956: Parameter based Indirect Object Referencing leading > + to private file exposure > + > CVE-2023-33968: Missing access control allows user to move and > + duplicate tasks to any project in the software > + > CVE-2023-33969: Stored XSS in the Task External Link Functionality > + > CVE-2023-33970: Missing access control in internal task links feature > + (Closes: #1037167) > + > + -- Joseph Nahmias <je...@debian.org> Wed, 07 Jun 2023 20:45:40 -0400 > + > +kanboard (1.2.26+ds-3) unstable; urgency=medium > + > + * backport fix for CVE-2023-32685 from kanboard v1.2.29 > + > https://github.com/kanboard/kanboard/security/advisories/GHSA-hjmw-gm82-r4gv > + Based on upstream commits 26b6eeb & c9c1872. (Closes: #1036874) > + > + -- Joseph Nahmias <je...@debian.org> Sun, 28 May 2023 21:42:46 -0400 This seems to be the current debdiff between bookworm and the unstable version. But now that bookworm is releases, a package does nto migrate anymore from there to stable. What is needed above is to apply the needed patches on top of the 1.2.26+ds-2 versiion in testing and version it such that it is 1.2.26+ds-2+deb12u1. The developers-reference has some additional hints: https://www.debian.org/doc/manuals/developers-reference/pkgs.en.html#special-case-uploads-to-the-stable-and-oldstable-distributions Hope this helps, Regards, Salvatore
