Am 20.01.21 um 17:52 schrieb Tilman Hausherr:
That is here: issues.apache.org/jira/browse/PDFBOX-4505
<https://issues.apache.org/jira/browse/PDFBOX-4505>
There was another CVE addresing the same issue [1]. It was fixed in
1.8.12/2.0.1, but I'm afraid we missed something within Jempbox. I've finally
fixed that in [2]. That fix isn't released yet. I've planned to cut a new one
once we release 3.0.0, but I can do it earlier if neccessary.
[1] https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2175
[2] https://svn.apache.org/r1885874
that code (XML parse) isn't in 1.8. Nevertheless, you should migrate to 2.0.* to
enjoy all the improvements.
+1, 2.0.* is definitely the better choice. 1.8 is already a dead end and the
official EOL will come once 3.0.0 is released.
Andreas
Tilman
Am 20.01.2021 um 11:07 schrieb Avinash Modi:
I was scanning Apache PDFBox v1.8.16 jar in BlackDuck and it got flagged
with the following report:
*CVE-2019-0228*
Apache PDFBox 2.0.14 does not properly initialize the XML parser, which
allows context-dependent attackers to conduct XML External Entity (XXE)
attacks via a crafted XFDF.
From the report: It talks about v2.0.14 but I am on v1.8.16 which is
wondering.
My concern is that: I am using Apache PdfBox 1.8.16 which was released on
3rd July,2020 after the issue was reported( on 17 Apr 2019).So, Did it get
resolved in this version?
Thanks,
Avinash.
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
