On Sat, Mar 27, 2021 at 07:52:37PM +0100, Salvatore Bonaccorso wrote: > Source: libpdfbox2-java > Version: 2.0.22-1 > Severity: important > Tags: security upstream > X-Debbugs-Cc: car...@debian.org, Debian Security Team > <t...@security.debian.org>
Hi Salvatore, I'm continuing our thread from 986008, but switching over the BTS entry 986006 for CVE-2021-27807 to try to cut down on confusion between the CVEs. Below is why I marked this bug as fixed in 2.0.23-1. I haven't yet identified the exact commit(s), but will update bug if I can locate it. From https://pdfbox.apache.org/#news: > CVE-2021-27807, CVE-2021-27906 Infinite loop and OutOfMemory > 2021-03-20 > CVE-2021-27807: A carefully crafted PDF file can trigger an infinite loop > while loading the file. > > CVE-2021-27906: A carefully crafted PDF file can trigger an > OutOfMemory-Exception while loading the file. > > Versions Affected: Apache PDFBox <= 2.0.22 > > Mitigation: Upgrade to Apache PDFBox 2.0.23 Note that others have drawn the same conclusion from the announcement - e.g. https://github.com/apache/ofbiz-framework/commit/df69401118c99896432b417690f2229bc757072c Thanks, tony
signature.asc
Description: PGP signature
