On Wed, May 22, 2024 at 3:00 PM Moritz Muehlenhoff <j...@inutil.org> wrote: > > On Wed, May 22, 2024 at 02:42:58PM -0300, Leandro Cunha wrote: > > Hi everyone, > > > > On Wed, May 22, 2024 at 12:39 PM Moritz Mühlenhoff <j...@inutil.org> wrote: > > > > > > Am Wed, Mar 06, 2024 at 06:39:01AM -0300 schrieb Leandro Cunha: > > > > Hi Christoph Berg, > > > > > > > > On Wed, Mar 6, 2024 at 5:42 AM Christoph Berg <m...@debian.org> wrote: > > > > > > > > > > Re: Leandro Cunha > > > > > > The > > > > > > next job would be to make it available through backports and I would > > > > > > choose to remove this package from stable. But I would only leave > > > > > > bookworm backports due to other bugs found (this CVEs too) and fixed > > > > > > in 7.14.7. > > > > > > I have to search about the status of backports to oldstable. But I'm > > > > > > also studying the possibility of working with patches for these two > > > > > > versions. > > > > > > > > > > Why would you want to remove it from stable? In closed environments, > > > > > CVEs are often not a problem. > > > > > > > > > > Christoph > > > > > > > > In addition to the CVEs, phppgadmin which is present in stable does > > > > not connect to PostgreSQL 15 and 16 without a patch I inserted in > > > > 7.13.0+dfsg-3, but I can add the same patch by reopening bug #1029516 > > > > or opening another important bug (I am aware that the bug must have a > > > > severity greater than important)[3] for the stable and submission of > > > > new bug to the release team for approval. That way it would be > > > > released in a future release a version with this issue fixed (if > > > > approved). But CVE-2023-40619 is treated with critical severity and > > > > CVE-2019-10784 is also critical according to the NVD[1][2]. The Debian > > > > LTS team handled this with DLA-3644-1 (CVE-2023-40619)[4] in buster > > > > (oldoldstable) and of OpenSUSE team also handled both CVEs in > > > > Leap[5][6]. > > > > Removing this package in stable will not leave users without them and > > > > we can release it in backports. > > > > I can treat this as a job of ensuring the quality of what is > > > > distributed by Debian. > > > > > > Agreed, if the package is actually broken with the version of PostgreSQL > > > in stable and if there's no sensible backport for the open security > > > issues, > > > then let's rather remove it by the next point release. > > > > > > Cheers, > > > Moritz > > > > It's the best thing to do, the package with the necessary corrections > > is already present in bookworm-backports and the user just needs to > > run apt install -t bookworm-backports phppgadmin[1][2][3] with > > sponsorship of Christoph Berg (thank you for that) and thanks also to > > the Debian Security Team. > > Ack, will you do the removal request? You can do that with > "reportbug release.debian.org" and then selecting the > "rm stable/testing removal requests" option. > > Cheers, > Moritz
Already in draft. Once it's ready, I'll send it to BTS and using the template of the reportbug. I'll get some DD to review it before sending it too tonight on a video call. https://wiki.debian.org/reportbug -- Cheers, Leandro Cunha
