Hi, On Sun, Apr 04, 2021 at 09:05:06PM -0700, tony mancill wrote: > On Sat, Mar 27, 2021 at 07:54:11PM +0100, Salvatore Bonaccorso wrote: > > Source: libpdfbox2-java > > Version: 2.0.22-1 > > Severity: important > > Tags: security upstream > > Forwarded: https://issues.apache.org/jira/browse/PDFBOX-5112 > > X-Debbugs-Cc: car...@debian.org, Debian Security Team > > <t...@security.debian.org> > > Hi, > > I took a look at this and I think the best thing to do for our users is > to upload 2.0.23 instead of trying pick backport just the CVE changes > from this set of commits [1]. > > The 2.0.23 package builds without any other changes and doesn't > introduce any API changes [2]. This will address both CVE-2021-27807 > and CVE-2021-27906. > > I have an upload ready (using DEP-14 branches, so it won't change > master). I originally considered uploading 2.0.23 to experimental due > to the freeze, but I think it should go to unstable and then we can > discuss what we do for bullseye.
Do you by chance have any more details on CVE-2021-27807? The two posts to oss-security were a bit scarce on details for CVE-2021-27807. For CVE-2021-27906 at least there was a point to a respective upstream issue. Abuout the upload to unstable, would it maybe be sensible to ask first of a pre-pprovial to the release team? Regards, Salvatore
