Hi Adrian, On Sun, May 22, 2022 at 01:09:03PM +0000, Debian Bug Tracking System wrote: > > Hi, > > > > The following vulnerability was published for php-dompdf. > > > > I raise this as grave to ask the following question as well from > > future inclusion in bookworm: Is php-dompdf still maintained? I notice > > that it's at version 0.6.2 since stretch with one single NMU from the > > reproducible builds team. Or should it be removed from Debian? > > It is orphaned, and the maintainer of the reverse dependency has some > interest in keeping it (see #978994).
Oh, in this case it is best if the reverse dependency maintainer picks it acutually up. I agree there is noone to be forced, but I'm worried that it's the same version back some releases, while there would be several new upstream versions released in meanwhile which seem they should be updated and enter bookworm accordingly. > > CVE-2022-28368[0]: > > | Dompdf 1.2.1 allows remote code execution via a .php file in the > > | src:url field of an @font-face Cascading Style Sheets (CSS) statement > > | (within an HTML input file). > > > > > > If you fix the vulnerability please also make sure to include the > > CVE (Common Vulnerabilities & Exposures) id in your changelog entry. > >... > > The vulnerability was introduced in 0.8.0, which is more recent than any > version currently in Debian: > https://github.com/dompdf/dompdf/commit/0e0261b7bce372b3a05b712a023f6f742a22d57e Thanks for triaging further the issue and updating the security-tracker data! Regards, Salvatore
