Bug#986008: libpdfbox2-java: CVE-2021-27906
Salvatore Bonaccorso
carnil at debian.org
Mon Apr 5 16:15:12 BST 2021
Hi,
On Sun, Apr 04, 2021 at 09:05:06PM -0700, tony mancill wrote:
> On Sat, Mar 27, 2021 at 07:54:11PM +0100, Salvatore Bonaccorso wrote:
> > Source: libpdfbox2-java
> > Version: 2.0.22-1
> > Severity: important
> > Tags: security upstream
> > Forwarded: https://issues.apache.org/jira/browse/PDFBOX-5112
> > X-Debbugs-Cc: carnil at debian.org, Debian Security Team <team at security.debian.org>
>
> Hi,
>
> I took a look at this and I think the best thing to do for our users is
> to upload 2.0.23 instead of trying pick backport just the CVE changes
> from this set of commits [1].
>
> The 2.0.23 package builds without any other changes and doesn't
> introduce any API changes [2]. This will address both CVE-2021-27807
> and CVE-2021-27906.
>
> I have an upload ready (using DEP-14 branches, so it won't change
> master). I originally considered uploading 2.0.23 to experimental due
> to the freeze, but I think it should go to unstable and then we can
> discuss what we do for bullseye.
Do you by chance have any more details on CVE-2021-27807? The two
posts to oss-security were a bit scarce on details for CVE-2021-27807.
For CVE-2021-27906 at least there was a point to a respective upstream
issue.
Abuout the upload to unstable, would it maybe be sensible to ask first
of a pre-pprovial to the release team?
Regards,
Salvatore
More information about the pkg-java-maintainers
mailing list