On Mon, Apr 05, 2021 at 09:37:41AM +0200, Markus Koschany wrote: > Am Sonntag, den 04.04.2021, 21:05 -0700 schrieb tony mancill: > > On Sat, Mar 27, 2021 at 07:54:11PM +0100, Salvatore Bonaccorso wrote: > > > Source: libpdfbox2-java > > > Version: 2.0.22-1 > > > Severity: important > > > Tags: security upstream > > > Forwarded: https://issues.apache.org/jira/browse/PDFBOX-5112 > > > X-Debbugs-Cc: car...@debian.org, Debian Security Team < > > > t...@security.debian.org> > > > > Hi, > > > > I took a look at this and I think the best thing to do for our users is > > to upload 2.0.23 instead of trying pick backport just the CVE changes > > from this set of commits [1]. > > > > The 2.0.23 package builds without any other changes and doesn't > > introduce any API changes [2]. This will address both CVE-2021-27807 > > and CVE-2021-27906. > > That sounds reasonable to me. Thanks for the update! Hi Markus,
It is done. The only thing that's a little weird about switching over the DEP-14 layout is that the "upstream" branch gets renamed to "upstream/latest" and I don't know how to do that without deleting the (bare) "upstream" branch. Everything should be correct in Salsa for a new checkout, but you might run into some git unhappiness when updating your local repo. Cheers, tony
signature.asc
Description: PGP signature
