https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1000010
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-13225

Looks like this unmaintained package should be dropped.

Assignee: bugsquad => mageia
Source RPM: phpipam-1.1.010-5.mga8.src => phpipam-1.1.010-5.mga8.src.rpm
Whiteboard: (none) => MGA7TOO
Version: 7 => Cauldron
Summary: phpipam security issue CVE-2019-1000010 CVE-2020-13225 => phpipam new security issues CVE-2019-1000010 and CVE-2020-13225

latest version is 1.4 from 2019. In maintdb ennael is set as maintainer.

Also imported by dlucio.  Neither have been active for years.

hmm, I'm ok with dropping.

ok so we fix for mga7 and drop for cauldron. Seems a good idea :-)

CC: (none) => mageia

new rpm pushed in mageia 7 ( new version 1.4.1 ) 

it contains even more security fixes amont:
    Security Fixes:
    ----------------------------
    + SQL injections processing `tableName` (#2738);
    + SQL injections processing `ftype` (#2751);
    + All circuits map, PHP object injection (#2937);


src:
 phpipam-1.4.1-1.mga7

Advisory:
========================

Updated phpipam package fixes security vulnerabilities:

phpIPAM version 1.3.2 and earlier contains a Cross Site Scripting (XSS)
vulnerability in subnet-scan-telnet.php that can result in executing code in
victims browser. This attack appears to be exploitable via victim visits link
crafted by an attacker (CVE-2019-1000010).

phpIPAM 1.4 contains a stored cross site scripting (XSS) vulnerability within
the Edit User Instructions field of the User Instructions widget
(CVE-2020-13225).

The phpipam package has been updated to version 1.4.1, which fixes these
issues, along with several other security issues and bugs.  See the release
announcements for details.

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1000010
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-13225
https://github.com/phpipam/phpipam/releases
========================

Updated packages in core/updates_testing:
========================
phpipam-1.4.1-1.mga7

from phpipam-1.4.1-1.mga7.src.rpm

Whiteboard: MGA7TOO => (none)
Version: Cauldron => 7

Installed phpipam and dependencies. Attempted to update using QA Repo and the package name in Comment 7, and I get this:

There was a problem during the installation:

file /usr/share/phpipam/functions/locale/de_DE from install of phpipam-1.4.1-1.mga7.noarch conflicts with file from package phpipam-1.1.010-3.mga7.noarch

file /usr/share/phpipam/functions/locale/en from install of phpipam-1.4.1-1.mga7.noarch conflicts with file from package phpipam-1.1.010-3.mga7.noarch

file /usr/share/phpipam/functions/locale/es_ES from install of phpipam-1.4.1-1.mga7.noarch conflicts with file from package phpipam-1.1.010-3.mga7.noarch

file /usr/share/phpipam/functions/locale/fr_FR from install of phpipam-1.4.1-1.mga7.noarch conflicts with file from package phpipam-1.1.010-3.mga7.noarch

file /usr/share/phpipam/functions/locale/nl_NL from install of phpipam-1.4.1-1.mga7.noarch conflicts with file from package phpipam-1.1.010-3.mga7.noarch

file /usr/share/phpipam/functions/locale/pt_BR from install of phpipam-1.4.1-1.mga7.noarch conflicts with file from package phpipam-1.1.010-3.mga7.noarch

file /usr/share/phpipam/functions/locale/sl_SI from install of phpipam-1.4.1-1.mga7.noarch conflicts with file from package phpipam-1.1.010-3.mga7.noarch

I think it needs more work...

CC: (none) => andrewsfarm

Sounds like a file type change that needs to be handled in a %pretrans scriplet.

Keywords: (none) => feedback

It's changing the files from being directories to being symlinks to the newly
added UTF-8 versions of the files.

CC: (none) => davidwhodgins

Ping? @Nicolas?

CC: (none) => ouaurelien

Re ping. We should fix this.
@Packager can you take a look?