[Bug 1978555] Re: [SRU] New upstream maintenance and security releases for Focal and Jammy

[Marc Deslauriers]

NACK from the security team on the debdiffs in comments #1 and #2 for
the reasons stated above. I am unsubscribing ubuntu-security-sponsors
for now. Please resubscribe the team once appropriate debdiffs have been
attached to this bug. Thanks!

-- 
You received this bug notification because you are a member of Ubuntu
Sponsors Team, which is subscribed to the bug report.
https://bugs.launchpad.net/bugs/1978555

Title:
  [SRU] New upstream maintenance and security releases for Focal and
  Jammy

Status in spip package in Ubuntu:
  Fix Released
Status in spip source package in Focal:
  New
Status in spip source package in Jammy:
  New

Bug description:
  The version in Focal is vulnerable to CVE-2020-28984, CVE-2021-44118,
  CVE-2021-44120, CVE-2021-44122, CVE-2021-44123, CVE-2022-26846 and
  CVE-2022-26847.

  The version in Jammy is vulnerable to CVE-2022-26846 and
  CVE-2022-26847.

  To fix the vulnerabilities and other bugs, I want to upgrade to new upstream maintenance and security releases (3.2.15 for Focal and 4.0.7 for Jammy).
  The only additional change is to override Lintian errors.

  Debian released an advisory on March 8.

  [Test Plan]
  For each combination of Ubuntu release and CVE that affects the package in that release, test that the CVE cannot be exploited with the updated package.

  [Where problems could occur]
  There are no reverse dependencies in Ubuntu. However, the upstream bug fixes can cause regressions in software outside of the Ubuntu archive.

  The Files-Excluded field in debian/copyright can be incorrect for the
  new upstream releases, excluding or including files that should not
  be, possibly leading to a nonfunctional SPIP or introducing other
  bugs.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/spip/+bug/1978555/+subscriptions