On Mon, Dec 31, 2018 at 08:04:18AM +0100, Salvatore Bonaccorso wrote: > Hi Cyril, > > > https://security-tracker.debian.org/tracker/source-package/tika > > Furthermore if we only update to 1.13 there are likely some of the > currently <not-affected> CVEs which will make tika affected, because > the issue was introduced post 1.5. One example of this is for instance > CVE-2016-6809, where the Matlab file parser was only introduced in 1.6 > and the issue fixed in 1.14. Or CVE-2018-17197 which affects 1.8 to > 1.19.1. CVE-2018-1338, which was introduced in 1.7. CVE-2018-1335, > present from 1.7 to 1.17. > > There might be others, so I think the new upstream version fixing all > known current CVE is actually needed.
Agreed. Also 1.13 was released in May 2016, so by the time buster gets released it would be ~ 5 years old. Cheers, Moritz