Hi Ahijith, On Thu, Jun 2, 2022 at 5:50 PM Abhijith PA <abhij...@disroot.org> wrote: > Package icingaweb2 (2.4) in stretch have around 9 open CVEs. Most of > them fixed in upstream v2.6. There isn't isolated patches available > for CVE-2018-18246 to CVE-2018-18250. > > The changes from 2.4 .. 2.6 is pretty large and not much descriptive > to comb through and cherry pick. I have pinged upstream security team > to help, unfortunately they couldn't single out the patches. So I was > wondering whether its ok to upload v2.6 from stretch-backports to > -security and fix remaining CVEs on top of that.
I think that'd make sense, particularly when the said package is already in the -backports pocket. But that said, do make a note of: $ reverse-depends src:icingaweb2 Reverse-Recommends * education-main-server [amd64 arm64 armel armhf i386 mips64el mipsel ppc64el s390x] Reverse-Depends * icingaweb2-module-audit (for icingaweb2) * icingaweb2-module-boxydash (for icingaweb2) * icingaweb2-module-businessprocess * icingaweb2-module-businessprocess * icingaweb2-module-cube (for icingaweb2) * icingaweb2-module-director (for icingaweb2-module-monitoring) * icingaweb2-module-director (for icingaweb2) * icingaweb2-module-eventdb (for icingaweb2) * icingaweb2-module-fileshipper * icingaweb2-module-generictts * icingaweb2-module-generictts * icingaweb2-module-graphite (for icingaweb2) * icingaweb2-module-idoreports * icingaweb2-module-incubator (for icingaweb2) * icingaweb2-module-ipl (for icingaweb2) * icingaweb2-module-map (for icingaweb2) * icingaweb2-module-nagvis (for icingaweb2) * icingaweb2-module-pdfexport (for icingaweb2) * icingaweb2-module-pnp (for icingaweb2) * icingaweb2-module-reactbundle * icingaweb2-module-reporting (for icingaweb2) * icingaweb2-module-statusmap (for icingaweb2) * icingaweb2-module-toplevelview * icingaweb2-module-toplevelview * icingaweb2-module-x509 (for icingaweb2) Packages without architectures listed are reverse-dependencies in: all, amd64, arm64, armel, armhf, i386, mips64el, mipsel, ppc64el, s390x $ reverse-depends -b src:icingaweb2 No reverse dependencies found So ideally since the package is in the -backports pocket, I don't think it'd be a problem but do make sure that you at least test the package so it doesn't introduce any regressions or anything. Hope that helps. - u