Your message dated Tue, 25 Jun 2024 07:37:37 +0000 with message-id <e1sm0kd-002fzn...@fasolo.debian.org> and subject line Bug#1074228: fixed in odoo 16.0.0+dfsg.2-3 has caused the Debian Bug report #1074228, regarding odoo: CVE-2024-4367 – Arbitrary JavaScript execution in PDF.js to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 1074228: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1074228 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
--- Begin Message ---Package: odoo Version: 14.0.0+dfsg.2-7+deb11u1 Severity: grave Tags: security Justification: user security hole X-Debbugs-Cc: t...@debian.org, Debian Security Team <t...@security.debian.org> Hi, See details of vulnerability at: https://codeanlabs.com/blog/research/cve-2024-4367-arbitrary-js-execution-in-pdf-js/ Note that I am not currently using the Debian version of the Odoo package, but I noticed this issue when investigating the possibility of switching from the Odoo-provided package. All versions currently in Debian seem to be affected by this, as they embed version 2.2.228 of PDFjs: https://sources.debian.org/src/odoo/14.0.0%2Bdfsg.2-7%2Bdeb11u1/addons/web/static/lib/pdfjs/build/pdf.js/#L126 https://sources.debian.org/src/odoo/16.0.0%2Bdfsg.2-2/addons/web/static/lib/pdfjs/build/pdf.js/#L126 This vulnerability has been corrected in 4.2.67, alternatively there seems to be a simple workaround described in: https://github.com/mozilla/pdf.js/discussions/18168 -- System Information: Debian Release: trixie/sid APT prefers testing APT policy: (500, 'testing'), (50, 'unstable'), (10, 'experimental') Architecture: amd64 (x86_64) Kernel: Linux 6.8.12-amd64 (SMP w/8 CPU threads; PREEMPT) Locale: LANG=en_IE.UTF-8, LC_CTYPE=en_IE.UTF-8 (charmap=UTF-8), LANGUAGE not set Shell: /bin/sh linked to /usr/bin/dash Init: systemd (via /run/systemd/system) LSM: AppArmor: enabled
--- End Message ---
--- Begin Message ---Source: odoo Source-Version: 16.0.0+dfsg.2-3 Done: Sebastien Delafond <s...@debian.org> We believe that the bug you reported is fixed in the latest version of odoo, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 1074...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Sebastien Delafond <s...@debian.org> (supplier of updated odoo package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@ftp-master.debian.org) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Format: 1.8 Date: Tue, 25 Jun 2024 09:10:35 +0200 Source: odoo Architecture: source Version: 16.0.0+dfsg.2-3 Distribution: unstable Urgency: medium Maintainer: Freexian Packaging Team <team+freex...@tracker.debian.org> Changed-By: Sebastien Delafond <s...@debian.org> Closes: 1074228 Changes: odoo (16.0.0+dfsg.2-3) unstable; urgency=medium . * Fix CVE-2024-4367 (Closes: #1074228) Checksums-Sha1: 34d01f32b0a03578d384c5de3fd6096852455442 1639 odoo_16.0.0+dfsg.2-3.dsc 18021225e7ec6445e2ca844661f9bd86918ccf32 30744 odoo_16.0.0+dfsg.2-3.debian.tar.xz 4e3e8c2f7b64704a82cacfb507db4f9f66100e5b 5770 odoo_16.0.0+dfsg.2-3_source.buildinfo Checksums-Sha256: 8280589c12bbe9321f8a209ee0984241896f1a950d5b53b276e4e914d0889af8 1639 odoo_16.0.0+dfsg.2-3.dsc bf6c97706393ef81a299bb6c3b3ed497747ed920f3a54cee24bb29f8327f627b 30744 odoo_16.0.0+dfsg.2-3.debian.tar.xz 0f99100087ffe3cb7b8ec003c2ffb0517b865314a365fe5f6b2e379336749e87 5770 odoo_16.0.0+dfsg.2-3_source.buildinfo Files: 6bcde03bc9d069940f77dbe3756d32ff 1639 net optional odoo_16.0.0+dfsg.2-3.dsc 86a731c58db746356ef4d98242e7439c 30744 net optional odoo_16.0.0+dfsg.2-3.debian.tar.xz abe0254a050f6e289a569ce96d95c064 5770 net optional odoo_16.0.0+dfsg.2-3_source.buildinfo -----BEGIN PGP SIGNATURE----- iQEzBAEBCgAdFiEEAqSkbVtrXP4xJMh3EL6Jg/PVnWQFAmZ6byEACgkQEL6Jg/PV nWR36ggAkdhj+y4OV781p3eEUp8zBeH30Bxx9l1kDaIywahRJlLLRJeM6SGbb3We 0D3oNwrN8DTB7KV5Us71JkBtnU5CN+Lx09DzTvHlpuk5GY83BTm0OojmrLdMEHTz XWenwslqgXkuQTBOoZ/rQiZ/MuoO23pwkMvp+drUs16twfUR5SUl/vqE/yxvL0BW c7R2SXmnoOkEirVBf4X5BLbxpdGB1va7ZYmlGD8dQgOQOitNUl/WuEqJVONRfeUT aeBKOj8fYErtDkYRGLV/tH9VexlN/OHdpVOCRqsoEWJ00QUuwM3BgDcCELAHtZL4 42OJQhu8VOXMikh0W8YUTE43RWDy3g== =MQRW -----END PGP SIGNATURE-----pgpCW_5BOHhEN.pgp
Description: PGP signature
--- End Message ---