Awesome. That's good to hear. Thanks for the feedback, helix. Regards,
On Sun, Sep 11, 2016 at 11:03 PM, helix84 <heli...@centrum.sk> wrote: > Hi Alan, I filed a (non-public) security issue when it was first > reported. Seems like an easy fix to just upgrade pdfbox, but we'll > still have to test it before we release it in stable updates. Don't > worry, it's not getting overlooked. > > > Regards, > ~~helix84 > > Compulsory reading: DSpace Mailing List Etiquette > https://wiki.duraspace.org/display/DSPACE/Mailing+List+Etiquette > > > On Sun, Sep 11, 2016 at 9:00 PM, Alan Orth <alan.o...@gmail.com> wrote: >> Any DSpace committer want to comment on this? There are security >> vulnerabilities in the PDF library DSpace uses, and DSpace is used in >> an environment where users upload arbitrary PDFs to be processed by >> the system... >> >> On Thu, Sep 8, 2016 at 3:18 PM, Alan Orth <alan.o...@gmail.com> wrote: >>> Good catch, Seth. I bumped up the versions of all three pdfbox >>> components from 1.8.7 to 1.8.12 on our DSpace 5.1 instance and DSpace >>> builds and runs fine. I haven't done any other tests, though. >>> >>> Cheers, >>> >>> On Wed, Sep 7, 2016 at 10:01 PM, Seth Robbins <robbins...@gmail.com> wrote: >>>> Hi All, >>>> I thought I'd bring this to the attention of the community: >>>> There appears to be a vulnerability in the version of PDFBox that Dspace is >>>> set to use (2.0.0, 1.8.7). >>>> >>>> https://pdfbox.apache.org/ >>>> >>>> Looks like the most recent versions, 2.0.1 and 1.8.12, are patched. >>>> I'm looking into bumping our DSpace 5 installation to use 1.8.12, but have >>>> not tested it yet. >>>> Thanks, >>>> Seth >>>> >>>> -- >>>> You received this message because you are subscribed to the Google Groups >>>> "DSpace Technical Support" group. >>>> To unsubscribe from this group and stop receiving emails from it, send an >>>> email to dspace-tech+unsubscr...@googlegroups.com. >>>> To post to this group, send email to dspace-tech@googlegroups.com. >>>> Visit this group at https://groups.google.com/group/dspace-tech. >>>> For more options, visit https://groups.google.com/d/optout. >>> >>> >>> >>> -- >>> Alan Orth >>> alan.o...@gmail.com >>> https://englishbulgaria.net >>> https://alaninkenya.org >>> https://mjanja.ch >>> "In heaven all the interesting people are missing." ―Friedrich Nietzsche >>> GPG public key ID: 0x8cb0d0acb5cd81ec209c6cdfbd1a0e09c2f836c0 >> >> >> >> -- >> Alan Orth >> alan.o...@gmail.com >> https://englishbulgaria.net >> https://alaninkenya.org >> https://mjanja.ch >> "In heaven all the interesting people are missing." ―Friedrich Nietzsche >> GPG public key ID: 0x8cb0d0acb5cd81ec209c6cdfbd1a0e09c2f836c0 >> >> -- >> You received this message because you are subscribed to the Google Groups >> "DSpace Technical Support" group. >> To unsubscribe from this group and stop receiving emails from it, send an >> email to dspace-tech+unsubscr...@googlegroups.com. >> To post to this group, send email to dspace-tech@googlegroups.com. >> Visit this group at https://groups.google.com/group/dspace-tech. >> For more options, visit https://groups.google.com/d/optout. -- Alan Orth alan.o...@gmail.com https://englishbulgaria.net https://alaninkenya.org https://mjanja.ch "In heaven all the interesting people are missing." ―Friedrich Nietzsche GPG public key ID: 0x8cb0d0acb5cd81ec209c6cdfbd1a0e09c2f836c0 -- You received this message because you are subscribed to the Google Groups "DSpace Technical Support" group. To unsubscribe from this group and stop receiving emails from it, send an email to dspace-tech+unsubscr...@googlegroups.com. To post to this group, send email to dspace-tech@googlegroups.com. Visit this group at https://groups.google.com/group/dspace-tech. For more options, visit https://groups.google.com/d/optout.
