On Wed, May 22, 2024 at 02:42:58PM -0300, Leandro Cunha wrote:
> Hi everyone,
>
> On Wed, May 22, 2024 at 12:39 PM Moritz Mühlenhoff <j...@inutil.org> wrote:
> >
> > Am Wed, Mar 06, 2024 at 06:39:01AM -0300 schrieb Leandro Cunha:
> > > Hi Christoph Berg,
> > >
> > > On Wed, Mar 6, 2024 at 5:42 AM Christoph Berg <m...@debian.org> wrote:
> > > >
> > > > Re: Leandro Cunha
> > > > > The
> > > > > next job would be to make it available through backports and I would
> > > > > choose to remove this package from stable. But I would only leave
> > > > > bookworm backports due to other bugs found (this CVEs too) and fixed
> > > > > in 7.14.7.
> > > > > I have to search about the status of backports to oldstable. But I'm
> > > > > also studying the possibility of working with patches for these two
> > > > > versions.
> > > >
> > > > Why would you want to remove it from stable? In closed environments,
> > > > CVEs are often not a problem.
> > > >
> > > > Christoph
> > >
> > > In addition to the CVEs, phppgadmin which is present in stable does
> > > not connect to PostgreSQL 15 and 16 without a patch I inserted in
> > > 7.13.0+dfsg-3, but I can add the same patch by reopening bug #1029516
> > > or opening another important bug (I am aware that the bug must have a
> > > severity greater than important)[3] for the stable and submission of
> > > new bug to the release team for approval. That way it would be
> > > released in a future release a version with this issue fixed (if
> > > approved). But CVE-2023-40619 is treated with critical severity and
> > > CVE-2019-10784 is also critical according to the NVD[1][2]. The Debian
> > > LTS team handled this with DLA-3644-1 (CVE-2023-40619)[4] in buster
> > > (oldoldstable) and of OpenSUSE team also handled both CVEs in
> > > Leap[5][6].
> > > Removing this package in stable will not leave users without them and
> > > we can release it in backports.
> > > I can treat this as a job of ensuring the quality of what is
> > > distributed by Debian.
> >
> > Agreed, if the package is actually broken with the version of PostgreSQL
> > in stable and if there's no sensible backport for the open security issues,
> > then let's rather remove it by the next point release.
> >
> > Cheers,
> > Moritz
>
> It's the best thing to do, the package with the necessary corrections
> is already present in bookworm-backports and the user just needs to
> run apt install -t bookworm-backports phppgadmin[1][2][3] with
> sponsorship of Christoph Berg (thank you for that) and thanks also to
> the Debian Security Team.
Ack, will you do the removal request? You can do that with
"reportbug release.debian.org" and then selecting the
"rm stable/testing removal requests" option.
Cheers,
Moritz
