Bug#986008: libpdfbox2-java: CVE-2021-27906
Markus Koschany
apo at debian.org
Mon Apr 5 08:37:41 BST 2021
Hi tony,
Am Sonntag, den 04.04.2021, 21:05 -0700 schrieb tony mancill:
> On Sat, Mar 27, 2021 at 07:54:11PM +0100, Salvatore Bonaccorso wrote:
> > Source: libpdfbox2-java
> > Version: 2.0.22-1
> > Severity: important
> > Tags: security upstream
> > Forwarded: https://issues.apache.org/jira/browse/PDFBOX-5112
> > X-Debbugs-Cc: carnil at debian.org, Debian Security Team <
> > team at security.debian.org>
>
> Hi,
>
> I took a look at this and I think the best thing to do for our users is
> to upload 2.0.23 instead of trying pick backport just the CVE changes
> from this set of commits [1].
>
> The 2.0.23 package builds without any other changes and doesn't
> introduce any API changes [2]. This will address both CVE-2021-27807
> and CVE-2021-27906.
That sounds reasonable to me. Thanks for the update!
Markus
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 963 bytes
Desc: This is a digitally signed message part
URL: <http://alioth-lists.debian.net/pipermail/pkg-java-maintainers/attachments/20210405/d64986a5/attachment.sig>
More information about the pkg-java-maintainers
mailing list