Source: php-dompdf X-Debbugs-CC: t...@security.debian.org Severity: grave Tags: security
Hi, The following vulnerability was published for php-dompdf. CVE-2022-2400[0]: | External Control of File Name or Path in GitHub repository | dompdf/dompdf prior to 2.0.0. https://huntr.dev/bounties/a6da5e5e-86be-499a-a3c3-2950f749202a The isolated patch is https://github.com/dompdf/dompdf/commit/99aeec1efec9213e87098d42eb09439e7ee0bb6a but if php- dompdfis to be included in Bookworm, it should really be updated to 2.0.0, otherwise the current version will be over seven years old when Bookworm gets released. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2022-2400 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-2400 Please adjust the affected versions in the BTS as needed.