Hello everyone, I hope this message finds you well. I am reaching out to seek your valuable advice and assistance regarding a critical issue we are facing in upgrading our Debian Buster XHGui instances to Debian Bookworm.
The main challenge we are encountering stems from the fact that XHGui specifically requires a very old version of the php-twig package. More precisely, XHGui relies on php-twig v1.44.7. However, the available version of php-twig in Bookworm is v3.5.1. Unfortunately, Debian Stretch is the last release where php-twig v1.x.x was available. XHGui is known to be incompatible with versions other than v1.x.x as documented in our puppet repository.
In addition to the php-twig version compatibility issue, I want to highlight a known CVE affecting our current php-twig version, namely (CVE-2022-39261). The vulnerability has a severity score of 7.5 (High severity) according to the Common Vulnerability Scoring System (CVSS) and is remotely exploitable. Regrettably, no php-twig v1.x.x versions with the patch are available for Debian.
Considering these challenges, I would greatly appreciate your expertise and insights on determining the best approach to address this situation. In particular, I would like to hear your recommendations on the following matters:
- Handling the php-twig version disparity between XHGui's requirement (v1.44.7) and the available version in Debian Bookworm (v3.5.1).
- Mitigating the security risk posed by the known CVE (CVE-2022-39261) affecting our current php-twig version.
Your valuable input will significantly contribute to identifying the most appropriate course of action for us to pursue. Please share your thoughts, suggestions, and any alternative solutions you may have in mind.
Looking forward to your valuable insights and guidance.
Warm regards,
Andrea Denisse.