Re: Triage of CVE-2020-9489/tika
Hi
Based on the other discussion we have, I guess the verdict is
"ignored" instead of no-dsa. :-)
// Ola
On Sun, 10 May 2020 at 18:47, Utkarsh Gupta <utkarsh@debian.org> wrote:
>
> Hi Chris,
>
> On Sun, May 10, 2020 at 4:28 AM Chris Lamb <lamby@debian.org> wrote:
>>
>> I will first your mail in full with the Git SHAs expanded to URIs of
>> the diffs themselves:
>
>
> I should've done them in the first place. Many thanks! <3
>
>> I would definitely agree with your sentiment that this would be too
>> invasive to backport as a patch. However, before going for no-dsa
>> here, did you consider upgrading the entire package to a newer
>> version? (Is it even compatible? Is this critical enough of a package?
>> etc.)
>
>
> Yeah, but I think it won't cut it. There are some dependency bumps, too.
> The vulnerabilities in the MP4Parser were partially fixed by upgrading thecom.googlecode:isoparser:1.1.22 dependency toorg.tallison:isoparser:1.9.41.2.
> Then they upgraded org.apache.cxf to 3.3.6 as part of the 1.24.1 release. They also upgraded openjson to 1.0.10, org.ow2.asm to 8.0.1, zstd-jni to1.4.4-9, bouncycastle to 1.65, commons-lang3 to 3.10, lucene to 8.5.0 andmockito to 3.3.3 as part of the 1.24.1 release.
>
> And I don't think it's a good idea to upgrade or backport the fix.
> So I shall mark this as no-dsa <the fix is too invasive> for Jessie.
>
>
> Best,
> Utkarsh
--
--- Inguza Technology AB --- MSc in Information Technology ----
| ola@inguza.com opal@debian.org |
| http://inguza.com/ Mobile: +46 (0)70-332 1551 |
---------------------------------------------------------------
Reply to: