Hi, I just add maintainer and uploader to the loop. Hopefully, they should know something about the package/code/issue.
Le 04/01/2017 à 21:42, Salvatore Bonaccorso a écrit : > On Sun, Mar 27, 2016 at 01:33:01PM +0200, Moritz Mühlenhoff wrote: >> On Sun, Feb 07, 2016 at 02:28:04PM -0400, David Prévot wrote: >>> Package: php-tcpdf >>> Version: 6.0.093+dfsg-1 >>> Severity: serious >>> Tags: security upstream >>> >>> According to their changelog [1], upstream fixed a security issue over a >>> year ago: >>> >>> 6.2.0 (2014-12-10) >>> - Bug #1005 "Security Report, LFI posting internal files externally >>> abusing default parameter" was fixed. >>> >>> 1: https://sourceforge.net/p/tcpdf/code/ci/master/tree/CHANGELOG.TXT >>> >>> The upstream bug report [2] is not public, so I don’t have much >>> information about the issue, the fix, nor it’s actual severity. >>> >>> 2: https://sourceforge.net/p/tcpdf/bugs/1005/ >> >> Can you contact upstream for information on this security bug? I have >> no idea what that could possibly mean. > > Did you got any information on that from upstream? The bug is stil > closed, so does not really help. > > Regards, > Salvatore
signature.asc
Description: OpenPGP digital signature