Hi David, On Sun, Mar 27, 2016 at 01:33:01PM +0200, Moritz Mühlenhoff wrote: > On Sun, Feb 07, 2016 at 02:28:04PM -0400, David Prévot wrote: > > Package: php-tcpdf > > Version: 6.0.093+dfsg-1 > > Severity: serious > > Tags: security upstream > > > > According to their changelog [1], upstream fixed a security issue over a > > year ago: > > > > 6.2.0 (2014-12-10) > > - Bug #1005 "Security Report, LFI posting internal files externally > > abusing default parameter" was fixed. > > > > 1: https://sourceforge.net/p/tcpdf/code/ci/master/tree/CHANGELOG.TXT > > > > The upstream bug report [2] is not public, so I don’t have much > > information about the issue, the fix, nor it’s actual severity. > > > > 2: https://sourceforge.net/p/tcpdf/bugs/1005/ > > Can you contact upstream for information on this security bug? I have > no idea what that could possibly mean.
Did you got any information on that from upstream? The bug is stil closed, so does not really help. Regards, Salvatore
