On Mon, Apr 05, 2021 at 05:15:12PM +0200, Salvatore Bonaccorso wrote: > On Sun, Apr 04, 2021 at 09:05:06PM -0700, tony mancill wrote: > > On Sat, Mar 27, 2021 at 07:54:11PM +0100, Salvatore Bonaccorso wrote: > > > Source: libpdfbox2-java > > > Version: 2.0.22-1 > > > Severity: important > > > Tags: security upstream > > > Forwarded: https://issues.apache.org/jira/browse/PDFBOX-5112 > > > X-Debbugs-Cc: car...@debian.org, Debian Security Team > > > <t...@security.debian.org> > > > > Hi, > > > > I took a look at this and I think the best thing to do for our users is > > to upload 2.0.23 instead of trying pick backport just the CVE changes > > from this set of commits [1]. > > > > The 2.0.23 package builds without any other changes and doesn't > > introduce any API changes [2]. This will address both CVE-2021-27807 > > and CVE-2021-27906. > > > > I have an upload ready (using DEP-14 branches, so it won't change > > master). I originally considered uploading 2.0.23 to experimental due > > to the freeze, but I think it should go to unstable and then we can > > discuss what we do for bullseye. > > Do you by chance have any more details on CVE-2021-27807? The two > posts to oss-security were a bit scarce on details for CVE-2021-27807. > For CVE-2021-27906 at least there was a point to a respective upstream > issue.
Err, I'm glad you asked. I'm looking through my notes and I think I made a mistake about CVE-2021-27807 being in 2.0.23. I will mark the bug as not-fixed and follow up. > Abuout the upload to unstable, would it maybe be sensible to ask first > of a pre-pprovial to the release team? Yes, it definite is sensible. For this issue, I think the cherry-pick approach is more likely to result in problems for users than the updated version. If the Release Team does not agree, I will track the issue and work through s-p-u, or at least backports. Thank you, tony
signature.asc
Description: PGP signature