On Sun, Feb 07, 2016 at 02:28:04PM -0400, David Prévot wrote:
> Package: php-tcpdf
> Version: 6.0.093+dfsg-1
> Severity: serious
> Tags: security upstream
>
> According to their changelog [1], upstream fixed a security issue over a
> year ago:
>
> 6.2.0 (2014-12-10)
> - Bug #1005 "Security Report, LFI posting internal files externally
> abusing default parameter" was fixed.
>
> 1: https://sourceforge.net/p/tcpdf/code/ci/master/tree/CHANGELOG.TXT
>
> The upstream bug report [2] is not public, so I don’t have much
> information about the issue, the fix, nor it’s actual severity.
>
> 2: https://sourceforge.net/p/tcpdf/bugs/1005/
Can you contact upstream for information on this security bug? I have
no idea what that could possibly mean.
Cheers,
Moritz
