Package: odoo Version: 14.0.0+dfsg.2-7+deb11u1 Severity: grave Tags: security Justification: user security hole X-Debbugs-Cc: t...@debian.org, Debian Security Team <t...@security.debian.org>
Hi, See details of vulnerability at: https://codeanlabs.com/blog/research/cve-2024-4367-arbitrary-js-execution-in-pdf-js/ Note that I am not currently using the Debian version of the Odoo package, but I noticed this issue when investigating the possibility of switching from the Odoo-provided package. All versions currently in Debian seem to be affected by this, as they embed version 2.2.228 of PDFjs: https://sources.debian.org/src/odoo/14.0.0%2Bdfsg.2-7%2Bdeb11u1/addons/web/static/lib/pdfjs/build/pdf.js/#L126 https://sources.debian.org/src/odoo/16.0.0%2Bdfsg.2-2/addons/web/static/lib/pdfjs/build/pdf.js/#L126 This vulnerability has been corrected in 4.2.67, alternatively there seems to be a simple workaround described in: https://github.com/mozilla/pdf.js/discussions/18168 -- System Information: Debian Release: trixie/sid APT prefers testing APT policy: (500, 'testing'), (50, 'unstable'), (10, 'experimental') Architecture: amd64 (x86_64) Kernel: Linux 6.8.12-amd64 (SMP w/8 CPU threads; PREEMPT) Locale: LANG=en_IE.UTF-8, LC_CTYPE=en_IE.UTF-8 (charmap=UTF-8), LANGUAGE not set Shell: /bin/sh linked to /usr/bin/dash Init: systemd (via /run/systemd/system) LSM: AppArmor: enabled
