Hi Chris, On Sun, May 10, 2020 at 4:28 AM Chris Lamb <[email protected]> wrote:
> I will first your mail in full with the Git SHAs expanded to URIs of > the diffs themselves: > I should've done them in the first place. Many thanks! <3 I would definitely agree with your sentiment that this would be too > invasive to backport as a patch. However, before going for no-dsa > here, did you consider upgrading the entire package to a newer > version? (Is it even compatible? Is this critical enough of a package? > etc.) > Yeah, but I think it won't cut it. There are some dependency bumps, too. The vulnerabilities in the MP4Parser were partially fixed by upgrading thecom.googlecode:isoparser:1.1.22 dependency toorg.tallison:isoparser:1.9.41.2. Then they upgraded org.apache.cxf to 3.3.6 as part of the 1.24.1 release. They also upgraded openjson to 1.0.10, org.ow2.asm to 8.0.1, zstd-jni to1.4.4-9, bouncycastle to 1.65, commons-lang3 to 3.10, lucene to 8.5.0 andmockito to 3.3.3 as part of the 1.24.1 release. And I don't think it's a good idea to upgrade or backport the fix. So I shall mark this as no-dsa <the fix is too invasive> for Jessie. Best, Utkarsh
