Bug#825501: CVE-2016-4434
Moritz Mühlenhoff
jmm at inutil.org
Mon Dec 31 11:55:28 GMT 2018
On Mon, Dec 31, 2018 at 08:04:18AM +0100, Salvatore Bonaccorso wrote:
> Hi Cyril,
>
>
> https://security-tracker.debian.org/tracker/source-package/tika
>
> Furthermore if we only update to 1.13 there are likely some of the
> currently <not-affected> CVEs which will make tika affected, because
> the issue was introduced post 1.5. One example of this is for instance
> CVE-2016-6809, where the Matlab file parser was only introduced in 1.6
> and the issue fixed in 1.14. Or CVE-2018-17197 which affects 1.8 to
> 1.19.1. CVE-2018-1338, which was introduced in 1.7. CVE-2018-1335,
> present from 1.7 to 1.17.
>
> There might be others, so I think the new upstream version fixing all
> known current CVE is actually needed.
Agreed. Also 1.13 was released in May 2016, so by the time buster gets
released it would be ~ 5 years old.
Cheers,
Moritz
More information about the pkg-java-maintainers
mailing list