Skip to content

webui: use patched laminas packages#2439

Merged
BareosBot merged 2 commits intobareos:masterfrom
sebastianlederer:dev/slederer/master/laminas-secpatch
Nov 17, 2025
Merged

webui: use patched laminas packages#2439
BareosBot merged 2 commits intobareos:masterfrom
sebastianlederer:dev/slederer/master/laminas-secpatch

Conversation

@sebastianlederer
Copy link
Collaborator

@sebastianlederer sebastianlederer commented Nov 13, 2025
edited by pstorz
Loading

  • the versions of laminas-form and laminas-http that are used by the Bareos WebUI have issues CVE-2022-23598 and CVE-2021-3007, since we cannon easily upgrade to the latest versions, we backported the security patches and use our own patched versions

  • CVE-2022-23598 in laminas-form does not apply to versions older than 2.12.0, and we are using 2.6.0, so our version does not contain any patches but adds a description why the old version is not vulnerable (the CVE is actually incorrect about the affected versions, probably because nobody cared about versions that old)

Thank you for contributing to the Bareos Project!

Please check

  • Short description and the purpose of this PR is present above this paragraph

If you have any questions or problems, please give a comment in the PR.

Helpful documentation and best practices

Checklist for the reviewer of the PR (will be processed by the Bareos team)

Make sure you check/merge the PR using devtools/pr-tool to have some simple automated checks run and a proper changelog record added.

General
  • Is the PR title usable as CHANGELOG entry?
  • Purpose of the PR is understood
  • Commit descriptions are understandable and well formatted
  • Required backport PRs have been created
  • Correct milestone is set
Source code quality
  • Source code changes are understandable
  • Variable and function names are meaningful
  • Code comments are correct (logically and spelling)
  • Required documentation changes are present and part of the PR

@pstorz pstorz self-requested a review November 17, 2025 10:43
@pstorz pstorz added this to the 25.0.0 milestone Nov 17, 2025
pstorz
pstorz approved these changes Nov 17, 2025
View reviewed changes
Copy link
Member

@pstorz pstorz left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks good to me. composer audit shows no vulnerabilities.

sebastianlederer and others added 2 commits November 17, 2025 11:28
@sebastianlederer @BareosBot
webui: use patched laminas packages
9a1802d 
- the versions of laminas-form and laminas-http that are used by
  the Bareos WebUI have issues CVE-2022-23598 and CVE-2021-3007,
  since we cannon easily upgrade to the latest versions, we
  backported the security patches and use our own patched versions

- CVE-2022-23598 in laminas-form does not apply to versions older
  than 2.12.0, and we are using 2.6.0, so our version does not
  contain any patches but adds a description why the old
  version is not vulnerable (the CVE is actually incorrect about
  the affected versions, probably because nobody cared about
  versions that old)
@BareosBot
Update CHANGELOG.md
5720740
@BareosBot BareosBot force-pushed the dev/slederer/master/laminas-secpatch branch from 8a1598c to 5720740 Compare November 17, 2025 11:28
@BareosBot BareosBot merged commit 9be97f6 into bareos:master Nov 17, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@pstorz pstorz pstorz approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

25.0.0

Development

Successfully merging this pull request may close these issues.

3 participants

@sebastianlederer @pstorz @BareosBot