Control: notfound -1 20221105+dfsg-1.1 Control: fixed -1 20221105+dfsg-1.1 Hi,
On Thu, Jan 01, 2026 at 11:52:11PM +0100, Salvatore Bonaccorso wrote: > Control: found -1 20221105+dfsg-1.1 > > On Thu, Nov 13, 2025 at 11:04:22PM +0100, Salvatore Bonaccorso wrote: > > Control: tags 1120642 + patch > > Control: tags 1120642 + pending > > > > X-Debbugs-CC: [email protected] > > > > > > Dear maintainer, > > > > I've prepared an NMU for pdfminer (versioned as 20221105+dfsg-1.1) and > > uploaded it to DELAYED/2. Please feel free to tell me if I > > should cancel it. > > > > I do realize the delay is choosen bit too short, if possible though I > > would like to base the trixie- and bookworm-security upload based on > > this, given we have the same version across the suites. > > > > If I still should cancel it, let me know please. > > Unfortunately the original fix was incomplete and it was still > possible to exploit CVE-2025-64512. The proper solution was upstream > to replace pickle with JSON for CMap storage. > > I'm not yet sure how we can backport this to older versions, but let's > reopen the bug to make the fix correct. > > Information: https://github.com/pdfminer/pdfminer.six/pull/1172 > Fix: > https://github.com/pdfminer/pdfminer.six/commit/41a247c2d66ea962823459403b828375ccc7bd33 The incomplete fix got a separate CVE. So split this up again into the original tracking. Regards, Salvatore
