<html>

    <head>

      <base href="https://bugzilla.rosalinux.ru/">

    </head>

    <body><table border="1" cellspacing="0" cellpadding="8">

        <tr>

          <th>Platform</th>

          <td>---

          </td>

        </tr>

        <tr>

          <th>Bug ID</th>

          <td><a class="bz_bug_link 

          bz_status_CONFIRMED "

   title="CONFIRMED - itext 2.1.7 CVEs found"

   href="https://bugzilla.rosalinux.ru/show_bug.cgi?id=13245">13245</a>

          </td>

        </tr>

        <tr>

          <th>Summary</th>

          <td>itext 2.1.7 CVEs found

          </td>

        </tr>

        <tr>

          <th>Classification</th>

          <td>ROSA-based products

          </td>

        </tr>

        <tr>

          <th>Product</th>

          <td>Certified ROSA distros

          </td>

        </tr>

        <tr>

          <th>Version</th>

          <td>Chrome

          </td>

        </tr>

        <tr>

          <th>Hardware</th>

          <td>All

          </td>

        </tr>

        <tr>

          <th>URL</th>

          <td>CVE-2017-9096, CVE-2022-24196, CVE-2022-24197,

          </td>

        </tr>

        <tr>

          <th>OS</th>

          <td>Linux

          </td>

        </tr>

        <tr>

          <th>Status</th>

          <td>CONFIRMED

          </td>

        </tr>

        <tr>

          <th>Severity</th>

          <td>normal

          </td>

        </tr>

        <tr>

          <th>Priority</th>

          <td>Normal

          </td>

        </tr>

        <tr>

          <th>Component</th>

          <td>System (kernel, glibc, systemd, bash, PAM...)

          </td>

        </tr>

        <tr>

          <th>Assignee</th>

          <td>bugs&#64;lists.rosalinux.ru

          </td>

        </tr>

        <tr>

          <th>Reporter</th>

          <td>y.tumanov&#64;rosalinux.ru

          </td>

        </tr>

        <tr>

          <th>QA Contact</th>

          <td>bugs&#64;lists.rosalinux.ru

          </td>

        </tr>

        <tr>

          <th>Target Milestone</th>

          <td>---

          </td>

        </tr>

        <tr>

          <th>Group</th>

          <td>ROSA-plus-NTCIT

          </td>

        </tr>

        <tr>

          <th>Flags</th>

          <td>secteam_verified?

          </td>

        </tr></table>

      <p>

        <div>

        <pre>Please patch CVEs for package itext version 2.1.7  

INFO (CVEs are): itext 2.1.7 cves found

CVE-2017-9096

Desc: The XML parsers in iText before 5.5.12 and 7.x before 7.0.3 do not

disable external entities, which might allow remote attackers to conduct XML

external entity (XXE) attacks via a crafted PDF.

Link: <a href="https://nvd.nist.gov/vuln/detail/CVE-2017-9096">https://nvd.nist.gov/vuln/detail/CVE-2017-9096</a>

Severity: HIGH

CVE-2022-24196

Desc: iText v7.1.17, up to (exluding)&quot;: 7.1.18 and 7.2.2 was discovered to

contain an out-of-memory error via the component readStreamBytesRaw, which

allows attackers to cause a Denial of Service (DoS) via a crafted PDF file.

Link: <a href="https://nvd.nist.gov/vuln/detail/CVE-2022-24196">https://nvd.nist.gov/vuln/detail/CVE-2022-24196</a>

Severity: MEDIUM

CVE-2022-24197

Desc: iText v7.1.17 was discovered to contain a stack-based buffer overflow via

the component ByteBuffer.append, which allows attackers to cause a Denial of

Service (DoS) via a crafted PDF file.

Link: <a href="https://nvd.nist.gov/vuln/detail/CVE-2022-24197">https://nvd.nist.gov/vuln/detail/CVE-2022-24197</a>

Severity: MEDIUM</pre>

        </div>

      </p>

      <hr>

      <span>You are receiving this mail because:</span>

      <ul>

          <li>You are the QA Contact for the bug.</li>

          <li>You are the assignee for the bug.</li>

      </ul>

    </body>

</html>