Upgrading dpkg for Garden Linux 934.11

We had some findings of security vulnerabilities in a 934.10 image:

• CVE-2023-32611
• CVE-2023-32665
• CVE-2023-32636
• CVE-2023-32643
• CVE-2023-29499

Wait. These CVEs are for glib (the GTK library)? Yes, DPKG statically binds the gtk library. This means we need to re-build or upgrade dpkg.

OK, then lets upgrade dpkg to version 1.22. We can directly mirror it from debian testing, the current debian testing has a dpkg with a version of glib that is not vulnerable to those CVEs anymore.

Manually checking the required dependencies for this dpkg version upgrade, and it turns out we also need to upgrade the following:

• xz-utils/5.4.4-0.1:
• liblzma5/5.4.4-0.1:
• libzstd1/1.5.5+dfsg2-2:

I complain only a little, and make a note:

We need a dependency checker.
Input: apt repo url + package/version
Output: a list of dependency problems

The dependency checker tells if a version upgrade can happen without missing dependencies.
We have two cases:
1. missing dependency: the version upgrade introduces a package that did not exist before
2. wrong version of dependency

Done. Everything is included, and I can go ahead with testing 934.11. Next stop: glibc.