CVE-2017-9096 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-9096): The XML parsers in iText before 5.5.12 and 7.x before 7.0.3 do not disable external entities, which might allow remote attackers to conduct XML external entity (XXE) attacks via a crafted PDF.
@Maintainers please call for stabilization when ready. Thank you
*** Bug 637476 has been marked as a duplicate of this bug. ***
Mask and remove itext. There is an fork that does not require license, etc. https://github.com/LibrePDF/OpenPDF
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=939d02c84c4ffef19acd328fb4e1f9129d04c28d commit 939d02c84c4ffef19acd328fb4e1f9129d04c28d Author: Michał Górny <mgorny@gentoo.org> AuthorDate: 2019-09-14 15:45:52 +0000 Commit: Michał Górny <mgorny@gentoo.org> CommitDate: 2019-09-14 15:45:52 +0000 dev-java/itext: Remove last-rited pkg Bug: https://bugs.gentoo.org/636976 Signed-off-by: Michał Górny <mgorny@gentoo.org> dev-java/itext/Manifest | 4 -- .../itext-5.5.4-OcspClientBouncyCastle.java.patch | 15 ----- dev-java/itext/itext-2.1.5-r2.ebuild | 78 ---------------------- dev-java/itext/itext-5.5.4-r2.ebuild | 57 ---------------- dev-java/itext/metadata.xml | 25 ------- profiles/package.mask | 5 -- 6 files changed, 184 deletions(-)
buh bye