[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Triage of CVE-2020-9489/tika

Hi Chris,

On Sun, May 10, 2020 at 4:28 AM Chris Lamb <lamby@debian.org> wrote:
I will first your mail in full with the Git SHAs expanded to URIs of
the diffs themselves:

I should've done them in the first place. Many thanks! <3

I would definitely agree with your sentiment that this would be too
invasive to backport as a patch. However, before going for no-dsa
here, did you consider upgrading the entire package to a newer
version? (Is it even compatible? Is this critical enough of a package?

Yeah, but I think it won't cut it. There are some dependency bumps, too.
The vulnerabilities in the MP4Parser were partially fixed by upgrading thecom.googlecode:isoparser:1.1.22 dependency toorg.tallison:isoparser:
Then they upgraded org.apache.cxf to 3.3.6 as part of the 1.24.1 release. They also upgraded openjson to 1.0.10, org.ow2.asm to 8.0.1, zstd-jni to1.4.4-9, bouncycastle to 1.65, commons-lang3 to 3.10, lucene to 8.5.0 andmockito to 3.3.3 as part of the 1.24.1 release.

And I don't think it's a good idea to upgrade or backport the fix.
So I shall mark this as no-dsa <the fix is too invasive> for Jessie.


Reply to: