Bug#986008: libpdfbox2-java: CVE-2021-27906
tony mancill
tmancill at debian.org
Mon Apr 5 17:12:24 BST 2021
On Mon, Apr 05, 2021 at 05:15:12PM +0200, Salvatore Bonaccorso wrote:
> On Sun, Apr 04, 2021 at 09:05:06PM -0700, tony mancill wrote:
> > On Sat, Mar 27, 2021 at 07:54:11PM +0100, Salvatore Bonaccorso wrote:
> > > Source: libpdfbox2-java
> > > Version: 2.0.22-1
> > > Severity: important
> > > Tags: security upstream
> > > Forwarded: https://issues.apache.org/jira/browse/PDFBOX-5112
> > > X-Debbugs-Cc: carnil at debian.org, Debian Security Team <team at security.debian.org>
> >
> > Hi,
> >
> > I took a look at this and I think the best thing to do for our users is
> > to upload 2.0.23 instead of trying pick backport just the CVE changes
> > from this set of commits [1].
> >
> > The 2.0.23 package builds without any other changes and doesn't
> > introduce any API changes [2]. This will address both CVE-2021-27807
> > and CVE-2021-27906.
> >
> > I have an upload ready (using DEP-14 branches, so it won't change
> > master). I originally considered uploading 2.0.23 to experimental due
> > to the freeze, but I think it should go to unstable and then we can
> > discuss what we do for bullseye.
>
> Do you by chance have any more details on CVE-2021-27807? The two
> posts to oss-security were a bit scarce on details for CVE-2021-27807.
> For CVE-2021-27906 at least there was a point to a respective upstream
> issue.
Err, I'm glad you asked. I'm looking through my notes and I think I
made a mistake about CVE-2021-27807 being in 2.0.23. I will mark the
bug as not-fixed and follow up.
> Abuout the upload to unstable, would it maybe be sensible to ask first
> of a pre-pprovial to the release team?
Yes, it definite is sensible. For this issue, I think the cherry-pick
approach is more likely to result in problems for users than the updated
version. If the Release Team does not agree, I will track the issue and
work through s-p-u, or at least backports.
Thank you,
tony
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: not available
URL: <http://alioth-lists.debian.net/pipermail/pkg-java-maintainers/attachments/20210405/24166730/attachment.sig>
More information about the pkg-java-maintainers
mailing list