Bug 24599

Summary: glpi new security issues fixed upstream in 9.4.1.1
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: Guillaume Rousse <guillomovitch>
Status: RESOLVED WONTFIX QA Contact: Sec team <security>
Severity: normal    
Priority: Normal    
Version: 6   
Target Milestone: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Source RPM: glpi-9.1.6-2.2.mga6.src.rpm CVE:
Status comment: Fixed upstream in 9.4.1.1

Description David Walser 2019-03-30 18:58:02 CET 
Fedora has issued an advisory on March 29:
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/2VVTYWQABX6YTYBJ7TXMJRG24R4PJUKG/

The issues are fixed upstream in 9.4.1.1.
David Walser 2019-03-30 18:58:19 CET

Status comment: (none) => Fixed upstream in 9.4.1.1

Comment 1 Guillaume Rousse 2019-04-01 20:03:52 CEST 
We have GLPI 9.1 in mageia 6. Porting and testing the six different changes tagged as security issues in the changelog is quite a lot of work, especially as some of them are not precisely trivial. And shipping another major version as a security update, implying a database schema change, as well as shipping all other version-dependant plugins, is a no-go for me.

I'll try to get in touch with upstream developper to have some kind of risk assessment before investing any porting effort here. Unless we have a clear cost/benefit ratio here (or someone else volonteers to do the job, of course), that's quite likely to end as WONTFIX.

Status: NEW => ASSIGNED

Comment 2 Guillaume Rousse 2019-08-10 11:47:48 CEST 
Closing as WONTFIX, as explained in comment #1

Status: ASSIGNED => RESOLVED
Resolution: (none) => WONTFIX