Your message dated Tue, 25 Jun 2024 07:37:37 +0000
with message-id <e1sm0kd-002fzn...@fasolo.debian.org>
and subject line Bug#1074228: fixed in odoo 16.0.0+dfsg.2-3
has caused the Debian Bug report #1074228,
regarding odoo: CVE-2024-4367 – Arbitrary JavaScript execution in PDF.js
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)
--
1074228: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1074228
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: odoo
Version: 14.0.0+dfsg.2-7+deb11u1
Severity: grave
Tags: security
Justification: user security hole
X-Debbugs-Cc: t...@debian.org, Debian Security Team <t...@security.debian.org>
Hi,
See details of vulnerability at:
https://codeanlabs.com/blog/research/cve-2024-4367-arbitrary-js-execution-in-pdf-js/
Note that I am not currently using the Debian version of the Odoo package, but
I noticed this issue when investigating the possibility of switching from the
Odoo-provided package.
All versions currently in Debian seem to be affected by this, as they embed
version 2.2.228 of PDFjs:
https://sources.debian.org/src/odoo/14.0.0%2Bdfsg.2-7%2Bdeb11u1/addons/web/static/lib/pdfjs/build/pdf.js/#L126
https://sources.debian.org/src/odoo/16.0.0%2Bdfsg.2-2/addons/web/static/lib/pdfjs/build/pdf.js/#L126
This vulnerability has been corrected in 4.2.67,
alternatively there seems to be a simple workaround described in:
https://github.com/mozilla/pdf.js/discussions/18168
-- System Information:
Debian Release: trixie/sid
APT prefers testing
APT policy: (500, 'testing'), (50, 'unstable'), (10, 'experimental')
Architecture: amd64 (x86_64)
Kernel: Linux 6.8.12-amd64 (SMP w/8 CPU threads; PREEMPT)
Locale: LANG=en_IE.UTF-8, LC_CTYPE=en_IE.UTF-8 (charmap=UTF-8), LANGUAGE not set
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled
--- End Message ---
--- Begin Message ---
Source: odoo
Source-Version: 16.0.0+dfsg.2-3
Done: Sebastien Delafond <s...@debian.org>
We believe that the bug you reported is fixed in the latest version of
odoo, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 1074...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Sebastien Delafond <s...@debian.org> (supplier of updated odoo package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Tue, 25 Jun 2024 09:10:35 +0200
Source: odoo
Architecture: source
Version: 16.0.0+dfsg.2-3
Distribution: unstable
Urgency: medium
Maintainer: Freexian Packaging Team <team+freex...@tracker.debian.org>
Changed-By: Sebastien Delafond <s...@debian.org>
Closes: 1074228
Changes:
odoo (16.0.0+dfsg.2-3) unstable; urgency=medium
.
* Fix CVE-2024-4367 (Closes: #1074228)
Checksums-Sha1:
34d01f32b0a03578d384c5de3fd6096852455442 1639 odoo_16.0.0+dfsg.2-3.dsc
18021225e7ec6445e2ca844661f9bd86918ccf32 30744
odoo_16.0.0+dfsg.2-3.debian.tar.xz
4e3e8c2f7b64704a82cacfb507db4f9f66100e5b 5770
odoo_16.0.0+dfsg.2-3_source.buildinfo
Checksums-Sha256:
8280589c12bbe9321f8a209ee0984241896f1a950d5b53b276e4e914d0889af8 1639
odoo_16.0.0+dfsg.2-3.dsc
bf6c97706393ef81a299bb6c3b3ed497747ed920f3a54cee24bb29f8327f627b 30744
odoo_16.0.0+dfsg.2-3.debian.tar.xz
0f99100087ffe3cb7b8ec003c2ffb0517b865314a365fe5f6b2e379336749e87 5770
odoo_16.0.0+dfsg.2-3_source.buildinfo
Files:
6bcde03bc9d069940f77dbe3756d32ff 1639 net optional odoo_16.0.0+dfsg.2-3.dsc
86a731c58db746356ef4d98242e7439c 30744 net optional
odoo_16.0.0+dfsg.2-3.debian.tar.xz
abe0254a050f6e289a569ce96d95c064 5770 net optional
odoo_16.0.0+dfsg.2-3_source.buildinfo
-----BEGIN PGP SIGNATURE-----
iQEzBAEBCgAdFiEEAqSkbVtrXP4xJMh3EL6Jg/PVnWQFAmZ6byEACgkQEL6Jg/PV
nWR36ggAkdhj+y4OV781p3eEUp8zBeH30Bxx9l1kDaIywahRJlLLRJeM6SGbb3We
0D3oNwrN8DTB7KV5Us71JkBtnU5CN+Lx09DzTvHlpuk5GY83BTm0OojmrLdMEHTz
XWenwslqgXkuQTBOoZ/rQiZ/MuoO23pwkMvp+drUs16twfUR5SUl/vqE/yxvL0BW
c7R2SXmnoOkEirVBf4X5BLbxpdGB1va7ZYmlGD8dQgOQOitNUl/WuEqJVONRfeUT
aeBKOj8fYErtDkYRGLV/tH9VexlN/OHdpVOCRqsoEWJ00QUuwM3BgDcCELAHtZL4
42OJQhu8VOXMikh0W8YUTE43RWDy3g==
=MQRW
-----END PGP SIGNATURE-----
pgpCW_5BOHhEN.pgp
Description: PGP signature
--- End Message ---
