Hi, The recent security issues CVE-2021-27807 and CVE-2021-27906 as well as a couple cases of undeclared exceptions fixed in 2.0.23 were found with our open-source JVM fuzzer Jazzer (https://github.com/CodeIntelligenceTesting/jazzer).
Meanwhile, Jazzer has been integrated into Google's fuzzing initiative for open-source projects, OSS-Fuzz. If you are interested, I could set Apache PDFBox up for continuous fuzzing in OSS-Fuzz. You can find more information on the disclosure guidelines for bugs found by OSS-Fuzz at https://google.github.io/oss-fuzz/getting-started/bug-disclosure-guidelines/. Summarized briefly, bugs will be published either 90 days after they were found or about a day after they have been fixed in the repository. All I would need from you is a list of email addresses that should receive bug reports (including both general bugs and security issues). These can be both mailing lists and personal accounts. In order to obtain full access to reports, such an email address needs to be associated with a Google account (which can be created for any existing email). Fabian Code Intelligence GmbH --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
