Triage of CVE-2020-9489/tika

To: Debian LTS <debian-lts@lists.debian.org>, Debian Security Team <team@security.debian.org>
Subject: Triage of CVE-2020-9489/tika
From: Utkarsh Gupta <utkarsh@debian.org>
Date: Sat, 9 May 2020 00:48:56 +0530
Message-id: <[🔎] CAPP0f95qRdVD4xh_cFduoFfnWXO=fBPVtuWhwmrxcoxj4pBA_g@mail.gmail.com>

Hi all,

I've been looking at CVE-2020-9489/tika to find the patch for the same
and found the following details so far (after having a word with the
upstream maintainer):

The general dependency updates including some with security
implications: 171f4343

The fixes for the security items identified in that CVE
0f4d5de0
73b26ef0
e9b2c386
8e2eb052
57193f51
f9607f97
f7f1be6a
333d9906

I feel that the fix is too invasive to backport and should be marked as no-dsa?
If someone concurs with me on this, I'd go on and mark this as no-dsa
for Jessie.


Best,
Utkarsh

Reply to:

Follow-Ups:
- Re: Triage of CVE-2020-9489/tika
  - From: "Chris Lamb" <lamby@debian.org>

Prev by Date: d-s-s in sync in stable, oldstable and oldoldstable (Re: keystone support in Jessie)
Next by Date: Re: Apache's mod_remoteip: IP address spoofing via X-Forwarded-For when mod_rewrite rule is triggered
Previous by thread: Re: nginx / CVE-2020-11724
Next by thread: Re: Triage of CVE-2020-9489/tika
Index(es):
- Date
- Thread