I will first your mail in full with the Git SHAs expanded to URIs of
the diffs themselves:
I should've done them in the first place. Many thanks! <3
I would definitely agree with your sentiment that this would be too
invasive to backport as a patch. However, before going for no-dsa
here, did you consider upgrading the entire package to a newer
version? (Is it even compatible? Is this critical enough of a package?
etc.)
Yeah, but I think it won't cut it. There are some dependency bumps, too.
The vulnerabilities in the MP4Parser were partially fixed by upgrading thecom.googlecode:isoparser:1.1.22 dependency toorg.tallison:isoparser:1.9.41.2.
Then they upgraded org.apache.cxf to 3.3.6 as part of the 1.24.1 release. They also upgraded openjson to 1.0.10, org.ow2.asm to 8.0.1, zstd-jni to1.4.4-9, bouncycastle to 1.65, commons-lang3 to 3.10, lucene to 8.5.0 andmockito to 3.3.3 as part of the 1.24.1 release.
And I don't think it's a good idea to upgrade or backport the fix.
So I shall mark this as no-dsa <the fix is too invasive> for Jessie.
Best,
Utkarsh