David Prévot
2024-02-29 11:40:02 UTC
Reply
PermalinkSeverity: normal
Tags: bullseye
X-Debbugs-Cc: php-symfony-***@packages.debian.org, ***@security.debian.org
Control: affects -1 + src:php-symfony-contracts
User: ***@packages.debian.org
Usertags: pu
[2/6 for bullseye]
This is a follow up from composer/DSA-5632-1, similar to #1065058 in
bookworm.
In order to fix a Debian-specific issue related to CVE-2024-24821, we
agreed with the security team to push related dependencies via the next
point release.
The only change (besides changelog entry) in the binary packages is of
the following kind (thanks to diffoscope), for example for
php-symfony-cache-contracts.
â â âââ ./usr/share/php/Symfony/Contracts/Cache/autoload.php
â â â @@ -1,13 +1,11 @@
â â â <?php
â â â -require_once 'Psr/Cache/autoload.php';
â â â +require_once __DIR__ . '/../../../Psr/Cache/autoload.php';
â â â
â â â -if (stream_resolve_include_path('Symfony/Component/Cache/autoload.php')){
â â â - include_once 'Symfony/Component/Cache/autoload.php';
â â â -}
â â â +if (stream_resolve_include_path(__DIR__ . '/../../Component/Cache/autoload.php')) { include_once __DIR__ . '/../../Component/Cache/autoload.php'; }
â â â
â â â // @codingStandardsIgnoreFile
The goal is to ensure related dependencies are loaded from the system
path.
The attached debdiff is a lot bigger, since this source package builds
seven binary packages, and that d/rules has been adapted to keep the
testsuite at buildtime effective.
[ Checklist ]
[x] *all* changes are documented in the d/changelog
[x] I reviewed all changes and I approve them
[x] attach debdiff against the package in (old)stable
[x] the issue is verified as fixed in unstable
TIA for considering.
Cheers,
taffit