Apache has issued advisories on March 19: https://www.openwall.com/lists/oss-security/2021/03/19/9 https://www.openwall.com/lists/oss-security/2021/03/19/10 The issues are fixed upstream in 2.0.23. Mageia 7 is also affected (see also Bug 23251).
Version: Cauldron => 8Whiteboard: (none) => MGA7TOOStatus comment: (none) => Fixed upstream in 2.0.23
Blocks: (none) => 23251
Blocks: (none) => 28708
fixed in mga8: src: - pdfbox-2.0.23-1.mga8 bug cloned in 28708 for mga7
Whiteboard: MGA7TOO => (none)Blocks: 23251, 28708 => (none)CC: (none) => mageia
Assignee: java => qa-bugsStatus comment: Fixed upstream in 2.0.23 => (none)
Advisory: ======================== Updated pdfbox packages fix security vulnerabilities: A carefully crafted PDF file can trigger an infinite loop while loading the file. This issue affects Apache PDFBox Apache PDFBox version 2.0.22 and prior 2.0.x versions (CVE-2021-27807). A carefully crafted PDF file can trigger an OutOfMemory-Exception while loading the file. This issue affects Apache PDFBox Apache PDFBox version 2.0.22 and prior 2.0.x versions (CVE-2021-27906). References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-27807 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-27906 https://www.openwall.com/lists/oss-security/2021/03/19/9 https://www.openwall.com/lists/oss-security/2021/03/19/10 ======================== Updated packages in core/updates_testing: ======================== pdfbox-2.0.23-1.mga8 xmpbox-2.0.23-1.mga8 pdfbox-tools-2.0.23-1.mga8 pdfbox-parent-2.0.23-1.mga8 pdfbox-reactor-2.0.23-1.mga8 pdfbox-javadoc-2.0.23-1.mga8 pdfbox-debugger-2.0.23-1.mga8 fontbox-2.0.23-1.mga8 preflight-2.0.23-1.mga8 from pdfbox-2.0.23-1.mga8.src.rpm
Installed all packages, including numerous dependencies, in a vbox mga8 Plasma guest. Referenced Bug 18558 for testing suggestions, where I read that QA had been advised to OK this on a clean install and update over the previous versions. Updated using qarepo, with no issues, so it looks OK here. Validating. Advisory in Comment 2.
Keywords: (none) => validated_updateWhiteboard: (none) => MGA8-64-OKCC: (none) => andrewsfarm, sysadmin-bugs
CC: (none) => ouaurelienKeywords: (none) => advisoryCVE: (none) => CVE-2021-27807, CVE-2021-27906
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2021-0184.html
Status: NEW => RESOLVEDResolution: (none) => FIXED
Fedora has issued an advisory for this on March 26: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/6PT72QOFDXLJ7PLTN66EMG5EHPTE7TFZ/