Control: retitle -1 tcpdf: CVE-2017-6100: LFI posting internal files externally abusing default parameter
Hi, On Mon, Jan 09, 2017 at 09:39:30PM +0100, Raphael Hertzog wrote: > On Thu, 05 Jan 2017, Raphael Hertzog wrote: > > CCing upstream author for confirmation. Nicola we are trying to understand > > what security fix went into tcpdf 6.2.0. The bug is private on > > sourceforge, could you make it public now? > > The upstream bug is now public: > https://sourceforge.net/p/tcpdf/bugs/1005/ FTR, this has been assigned CVE-2017-6100 (yes the 2017 CVE id is a bit strange given the bug is older). Moritz asked later on if one of the maintainers can prepare an update for jessie, what is the status? Is any work in progress yet? Regards, Salvatore
