You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@pdfbox.apache.org by "Mrowczynski, Krzysztof" <kr...@siemens.com> on 2022/10/28 11:35:25 UTC
PDFBox 1.8.17 vs. CVE-2021-27906, CVE-2021-27807
Hello, good morning!
In our project we would like to use PDFBox library. According to mentioned
CVE's ALL versions below 2.0.23 are affected. Recently - 15th Sempteber
2022 the PDFBox 1.8.17 was released. Unfortunately I cannot find any
information about mitigation of the vulnerability in release notes. Can you
please confirm if the vulnerability is still present in 1.8.17?
Thank you in advance for support,
Have a great day
Kind regards,
Krzysztof Mrówczyński
Siemens Digital Logistics Sp. z o.o.
Departament R&D
ul. Swobodna 1 | 50-088 Wrocław
P +48 71 799 21 00
Mail: <ma...@siemens-logistics.com>
krzysztof.mrowczynski@siemens.com
<http://www.siemens-digital-logistics.com/>
www.siemens-digital-logistics.com
Management: Arkadiusz Wójtowicz, Anna Cieślik
Registered office: Swobodna 1, 50-088 Wrocław, Poland
Register Court: Enterprise Division VI of the National Court Register,
District Wrocław-Fabryczna KRS number 0000008147
Tax Identification Number: PL 8971648009
Share capital: 1.375.000,00 PLN
Confidential @ Siemens Digital Logistics Sp. z o.o. All rights reserved.
Important notice: This e-mail and any attachment thereof contain corporate
proprietary information. If you have received it by mistake, please notify
us immediately by reply e-mail and delete this e-mail and its attachments
from your system. Thank you.
Re: PDFBox 1.8.17 vs. CVE-2021-27906, CVE-2021-27807
Posted by Tilman Hausherr <TH...@t-online.de>.
Hi,
It wasn't lost and there is an answer. Maybe you didn't subscribe.
https://lists.apache.org/thread/2gcjrpdrlz8nrh3crnml2k80lvl6ns0b
Tilman
On 10.11.2022 13:18, Mrowczynski, Krzysztof wrote:
>
> Hello!
>
> In case last email was lost I would like to ask you again about
> CVE-2021-27906, CVE-2021-27807 in 1.8.17
>
> Thank you
>
> Kind regards,
> Krzysztof Mrówczyński
>
> Siemens Digital Logistics Sp. z o.o.
> Departament R&D
>
> ul. Swobodna 1 | 50-088 Wrocław
> P +48 71 799 21 00
> Mail: krzysztof.mrowczynski@siemens.com
> <ma...@siemens-logistics.com>
> www.siemens-digital-logistics.com
> <http://www.siemens-digital-logistics.com/>
>
> Management: Arkadiusz Wójtowicz, Anna Cieślik
> Registered office: Swobodna 1, 50-088 Wrocław, Poland
> Register Court: Enterprise Division VI of the National Court Register,
> District Wrocław-Fabryczna KRS number 0000008147
> Tax Identification Number: PL 8971648009
> Share capital: 1.375.000,00 PLN
>
> Confidential @ Siemens Digital Logistics Sp. z o.o. All rights reserved.
>
> Important notice: This e-mail and any attachment thereof contain
> corporate proprietary information. If you have received it by mistake,
> please notify us immediately by reply e-mail and delete this e-mail
> and its attachments from your system. Thank you.
>
> *From:* Mrowczynski, Krzysztof (DI SW DM SDL TEC R&D-AX4 SD1)
> *Sent:* piątek, 28 października 2022 13:35
> *To:* users@pdfbox.apache.org
> *Subject:* PDFBox 1.8.17 vs. CVE-2021-27906, CVE-2021-27807
>
> Hello, good morning!
>
> In our project we would like to use PDFBox library. According to
> mentioned CVE’s /ALL/ versions below 2.0.23 are affected. Recently –
> 15^th Sempteber 2022 the PDFBox 1.8.17 was released. Unfortunately I
> cannot find any information about mitigation of the vulnerability in
> release notes. Can you please confirm if the vulnerability is still
> present in 1.8.17?
>
> Thank you in advance for support,
> Have a great day
>
> Kind regards,
> Krzysztof Mrówczyński
>
> Siemens Digital Logistics Sp. z o.o.
> Departament R&D
>
> ul. Swobodna 1 | 50-088 Wrocław
> P +48 71 799 21 00
> Mail: krzysztof.mrowczynski@siemens.com
> <ma...@siemens-logistics.com>
> www.siemens-digital-logistics.com
> <http://www.siemens-digital-logistics.com/>
>
> Management: Arkadiusz Wójtowicz, Anna Cieślik
> Registered office: Swobodna 1, 50-088 Wrocław, Poland
> Register Court: Enterprise Division VI of the National Court Register,
> District Wrocław-Fabryczna KRS number 0000008147
> Tax Identification Number: PL 8971648009
> Share capital: 1.375.000,00 PLN
>
> Confidential @ Siemens Digital Logistics Sp. z o.o. All rights reserved.
>
> Important notice: This e-mail and any attachment thereof contain
> corporate proprietary information. If you have received it by mistake,
> please notify us immediately by reply e-mail and delete this e-mail
> and its attachments from your system. Thank you.
>
RE: PDFBox 1.8.17 vs. CVE-2021-27906, CVE-2021-27807
Posted by "Mrowczynski, Krzysztof" <kr...@siemens.com>.
Hello!
In case last email was lost I would like to ask you again about
CVE-2021-27906, CVE-2021-27807 in 1.8.17
Thank you
Kind regards,
Krzysztof Mrówczyński
Siemens Digital Logistics Sp. z o.o.
Departament R&D
ul. Swobodna 1 | 50-088 Wrocław
P +48 71 799 21 00
Mail: <ma...@siemens-logistics.com>
krzysztof.mrowczynski@siemens.com
<http://www.siemens-digital-logistics.com/>
www.siemens-digital-logistics.com
Management: Arkadiusz Wójtowicz, Anna Cieślik
Registered office: Swobodna 1, 50-088 Wrocław, Poland
Register Court: Enterprise Division VI of the National Court Register,
District Wrocław-Fabryczna KRS number 0000008147
Tax Identification Number: PL 8971648009
Share capital: 1.375.000,00 PLN
Confidential @ Siemens Digital Logistics Sp. z o.o. All rights reserved.
Important notice: This e-mail and any attachment thereof contain corporate
proprietary information. If you have received it by mistake, please notify
us immediately by reply e-mail and delete this e-mail and its attachments
from your system. Thank you.
From: Mrowczynski, Krzysztof (DI SW DM SDL TEC R&D-AX4 SD1)
Sent: piątek, 28 października 2022 13:35
To: users@pdfbox.apache.org
Subject: PDFBox 1.8.17 vs. CVE-2021-27906, CVE-2021-27807
Hello, good morning!
In our project we would like to use PDFBox library. According to mentioned
CVE's ALL versions below 2.0.23 are affected. Recently - 15th Sempteber
2022 the PDFBox 1.8.17 was released. Unfortunately I cannot find any
information about mitigation of the vulnerability in release notes. Can you
please confirm if the vulnerability is still present in 1.8.17?
Thank you in advance for support,
Have a great day
Kind regards,
Krzysztof Mrówczyński
Siemens Digital Logistics Sp. z o.o.
Departament R&D
ul. Swobodna 1 | 50-088 Wrocław
P +48 71 799 21 00
Mail: krzysztof.mrowczynski@siemens.com
<ma...@siemens-logistics.com>
<http://www.siemens-digital-logistics.com/>
www.siemens-digital-logistics.com
Management: Arkadiusz Wójtowicz, Anna Cieślik
Registered office: Swobodna 1, 50-088 Wrocław, Poland
Register Court: Enterprise Division VI of the National Court Register,
District Wrocław-Fabryczna KRS number 0000008147
Tax Identification Number: PL 8971648009
Share capital: 1.375.000,00 PLN
Confidential @ Siemens Digital Logistics Sp. z o.o. All rights reserved.
Important notice: This e-mail and any attachment thereof contain corporate
proprietary information. If you have received it by mistake, please notify
us immediately by reply e-mail and delete this e-mail and its attachments
from your system. Thank you.
Re: PDFBox 1.8.17 vs. CVE-2021-27906, CVE-2021-27807
Posted by Andreas Lehmkuehler <an...@lehmi.de>.
Hi,
according to the description of both CVEs are about PDFBox 2.0.x
"This issue affects Apache PDFBox version 2.0.22 and prior 2.0.x versions.
References"
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-27906
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-27807
The usage of 1.8.17 is discouraged. There are still some bugfix releases from
time to time but the whole 1.8.x branch is outdated and it is expected to be set
to EOL once 3.0.0 is released.
You should start with 2.0.x. Currently the most recent version is 2.0.27
Andreas
Am 28.10.22 um 13:35 schrieb Mrowczynski, Krzysztof:
> Hello, good morning!
>
> In our project we would like to use PDFBox library. According to mentioned CVE’s
> /ALL/ versions below 2.0.23 are affected. Recently – 15^th Sempteber 2022 the
> PDFBox 1.8.17 was released. Unfortunately I cannot find any information about
> mitigation of the vulnerability in release notes. Can you please confirm if the
> vulnerability is still present in 1.8.17?
>
> Thank you in advance for support,
> Have a great day
>
> Kind regards,
> Krzysztof Mrówczyński
>
> Siemens Digital Logistics Sp. z o.o.
> Departament R&D
>
> ul. Swobodna 1 | 50-088 Wrocław
> P +48 71 799 21 00
> Mail: krzysztof.mrowczynski@siemens.com
> <ma...@siemens-logistics.com>
> www.siemens-digital-logistics.com <http://www.siemens-digital-logistics.com/>
>
> Management: Arkadiusz Wójtowicz, Anna Cieślik
> Registered office: Swobodna 1, 50-088 Wrocław, Poland
> Register Court: Enterprise Division VI of the National Court Register, District
> Wrocław-Fabryczna KRS number 0000008147
> Tax Identification Number: PL 8971648009
> Share capital: 1.375.000,00 PLN
>
> Confidential @ Siemens Digital Logistics Sp. z o.o. All rights reserved.
>
> Important notice: This e-mail and any attachment thereof contain corporate
> proprietary information. If you have received it by mistake, please notify us
> immediately by reply e-mail and delete this e-mail and its attachments from your
> system. Thank you.
>
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@pdfbox.apache.org
For additional commands, e-mail: users-help@pdfbox.apache.org
Re: PDFBox 1.8.17 vs. CVE-2021-27906, CVE-2021-27807
Posted by Tilman Hausherr <TH...@t-online.de>.
I doubt that it was fixed in 1.8.*. You should update to 2.0.27. There
are more disadvantages (bugs!) in 1.8.17 than two CVEs which have never
been exploited in the wild, and which will just crash or freeze your
system, but not result in data access.
Tilman
On 28.10.2022 13:35, Mrowczynski, Krzysztof wrote:
>
> Hello, good morning!
>
> In our project we would like to use PDFBox library. According to
> mentioned CVE’s /ALL/ versions below 2.0.23 are affected. Recently –
> 15^th Sempteber 2022 the PDFBox 1.8.17 was released. Unfortunately I
> cannot find any information about mitigation of the vulnerability in
> release notes. Can you please confirm if the vulnerability is still
> present in 1.8.17?
>
> Thank you in advance for support,
> Have a great day
>
> Kind regards,
> Krzysztof Mrówczyński
>
> Siemens Digital Logistics Sp. z o.o.
> Departament R&D
>
> ul. Swobodna 1 | 50-088 Wrocław
> P +48 71 799 21 00
> Mail: krzysztof.mrowczynski@siemens.com
> <ma...@siemens-logistics.com>
> www.siemens-digital-logistics.com
> <http://www.siemens-digital-logistics.com/>
>
> Management: Arkadiusz Wójtowicz, Anna Cieślik
> Registered office: Swobodna 1, 50-088 Wrocław, Poland
> Register Court: Enterprise Division VI of the National Court Register,
> District Wrocław-Fabryczna KRS number 0000008147
> Tax Identification Number: PL 8971648009
> Share capital: 1.375.000,00 PLN
>
> Confidential @ Siemens Digital Logistics Sp. z o.o. All rights reserved.
>
> Important notice: This e-mail and any attachment thereof contain
> corporate proprietary information. If you have received it by mistake,
> please notify us immediately by reply e-mail and delete this e-mail
> and its attachments from your system. Thank you.
>