Debian Package Tracker

From: Debian FTP Masters <ftpmaster@ftp-master.debian.org>
To: <dispatch@tracker.debian.org> , <debian-lts-changes@lists.debian.org>
Subject: Accepted tcpdf 6.3.5+dfsg1-1+deb11u1 (source) into oldstable-security
Date: Tue, 03 Jun 2025 13:40:23 +0000
Signed by: Santiago Ruano Rincón <santiago@debian.org>

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Mon, 02 Jun 2025 19:03:58 -0300
Source: tcpdf
Architecture: source
Version: 6.3.5+dfsg1-1+deb11u1
Distribution: bullseye-security
Urgency: medium
Maintainer: phpMyAdmin Team <team+phpmyadmin@tracker.debian.org>
Changed-By: Santiago Ruano Rincón <santiagorr@riseup.net>
Changes:
 tcpdf (6.3.5+dfsg1-1+deb11u1) bullseye-security; urgency=medium
 .
   * Non-maintainer upload by the LTS Team
   * Exclude quilt managed directory .pc/ from phpab in debian/rules
   * Explicitly specify RELEASE: bullseye in d/gitlab-ci.yml
   * Fix CVE-2024-22640: ReDoS (Regular Expression Denial of Service) if
     parsing an untrusted HTML page with a crafted color
   * Fix CVE-2024-22641: ReDoS (Regular Expression Denial of Service) if
     parsing an untrusted SVG file
   * Fix CVE-2024-32489: tcpdf mishandles calls that use HTML syntax
   * Fix CVE-2024-51058: Local File Inclusion (LFI) vulnerability through <img>
     src tag
   * Fix CVE-2024-56519: setSVGStyles does not sanitize the SVG font-family
     attribute
   * Fix CVE-2024-56520: tcpdf, throught its use of tc-lib-pdf-font, mishandles
     fonts like FontBBox for Type 1 and misparses TrueType fonts
   * Fix CVE-2024-56522: unserializeTCPDFtag doesn't make use of constant-time
     function to compare TCPDF tag hashes
   * Fix CVE-2024-56527: the Error function lacks an htmlspecialchars call for
     the error message
   * Backport d/tests/test.sh from bookworm
   * Update git branch in the VCS-Git d/control field
Checksums-Sha1:
 1c285882682b09d763a3e35a2ae9677540ddf985 1595 tcpdf_6.3.5+dfsg1-1+deb11u1.dsc
 e27cf05b1dc749c76bee09b08776b553ad015552 8027292 tcpdf_6.3.5+dfsg1.orig.tar.xz
 c1ef9bbe0dc9c9126b3691fd93b2e07e4f2c6442 14624 tcpdf_6.3.5+dfsg1-1+deb11u1.debian.tar.xz
 70078af3f01b1fbfc2609c758887c2b4c1c8d67e 6387 tcpdf_6.3.5+dfsg1-1+deb11u1_amd64.buildinfo
Checksums-Sha256:
 a66e5a7a8cf6c5f0275b36f383dc5c0a6e4b299cd4ce631fbb572337293c1b96 1595 tcpdf_6.3.5+dfsg1-1+deb11u1.dsc
 f17b4589b7427a68f7ec9628a0af450f4ee898f6ac4b789ba0bccfb4c5653945 8027292 tcpdf_6.3.5+dfsg1.orig.tar.xz
 2292b9ae1726cff14ea9647b9f9d6da6eee5b6027e938bfaa22f5e9c813c895f 14624 tcpdf_6.3.5+dfsg1-1+deb11u1.debian.tar.xz
 c540d333d7899a501e54a04193bb7302078366f9d7cd3a57d526089c1e198234 6387 tcpdf_6.3.5+dfsg1-1+deb11u1_amd64.buildinfo
Files:
 2be78a9f1e04bd7545afea413e9b4c74 1595 php optional tcpdf_6.3.5+dfsg1-1+deb11u1.dsc
 84312891236c5d429f3793778ca7351e 8027292 php optional tcpdf_6.3.5+dfsg1.orig.tar.xz
 00f867a3b1b3cbee3833cb9aa067c5cd 14624 php optional tcpdf_6.3.5+dfsg1-1+deb11u1.debian.tar.xz
 bdd480325e5507ec0e6acfc07280420e 6387 php optional tcpdf_6.3.5+dfsg1-1+deb11u1_amd64.buildinfo

-----BEGIN PGP SIGNATURE-----

iIwEARYKADQWIQR+lHTq7mkJOyB6t2Un3j1FEEiG7wUCaD6/uBYcc2FudGlhZ29y
ckByaXNldXAubmV0AAoJECfePUUQSIbvZToBAPKHRx79rZOrm2HxmJQRQuJgRxE6
q/JJPdRlT0w9BGOSAQCERnRPxrWVP34Jsun3vL9+Wn1bWdv29BHAXAdjmGxWCQ==
=7BhF
-----END PGP SIGNATURE-----

News for package tcpdf