Bug#986008: libpdfbox2-java: CVE-2021-27906
tony mancill
tmancill at debian.org
Mon Apr 5 16:02:12 BST 2021
On Mon, Apr 05, 2021 at 09:37:41AM +0200, Markus Koschany wrote:
> Am Sonntag, den 04.04.2021, 21:05 -0700 schrieb tony mancill:
> > On Sat, Mar 27, 2021 at 07:54:11PM +0100, Salvatore Bonaccorso wrote:
> > > Source: libpdfbox2-java
> > > Version: 2.0.22-1
> > > Severity: important
> > > Tags: security upstream
> > > Forwarded: https://issues.apache.org/jira/browse/PDFBOX-5112
> > > X-Debbugs-Cc: carnil at debian.org, Debian Security Team <
> > > team at security.debian.org>
> >
> > Hi,
> >
> > I took a look at this and I think the best thing to do for our users is
> > to upload 2.0.23 instead of trying pick backport just the CVE changes
> > from this set of commits [1].
> >
> > The 2.0.23 package builds without any other changes and doesn't
> > introduce any API changes [2]. This will address both CVE-2021-27807
> > and CVE-2021-27906.
>
> That sounds reasonable to me. Thanks for the update!
Hi Markus,
It is done.
The only thing that's a little weird about switching over the DEP-14
layout is that the "upstream" branch gets renamed to "upstream/latest"
and I don't know how to do that without deleting the (bare) "upstream"
branch. Everything should be correct in Salsa for a new checkout, but
you might run into some git unhappiness when updating your local repo.
Cheers,
tony
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: not available
URL: <http://alioth-lists.debian.net/pipermail/pkg-java-maintainers/attachments/20210405/f4477917/attachment.sig>
More information about the pkg-java-maintainers
mailing list