It looks like this is only affecting Factory.

openSUSE:Factory pdfbox-2.0.22-src.zip

All other SUSE and openSUSE code streams are on 1.8.x versions.

SUSE:SLE-15-SP2    pdfbox-1.8.16-src.zip
SUSE:SLE-15        pdfbox-1.8.12-src.zip
openSUSE:Leap:15.2 pdfbox-1.8.16-src.zip

Apparently there are two CVEs, CVE-2021-27807 and CVE-2021-27906.

CVE-2021-27906 is fixed by https://github.com/apache/pdfbox/commit/8c47be1011c11dc47300faecffd8ab32fba3646f, but I can't tell which commits are needed for CVE-2021-27807.

Knowing that would be necessary to figure out whether SLE is also affected, which means version 1.8. The code causing CVE-2021-27906 is not in 1.8 at least.

Tumbleweed has version 2.0.22 and would need an update to 2.0.23 which should be relatively simple. However, I can't submit the update because I simply don't know how the -build.tar.xz tarball with the ant build is generated. It doesn't seem to be generated.

In any case, I can no longer maintain this package, as I left the team pdfbox was packaged for years ago, so I'm looking for a new maintainer.

(In reply to Fabian Vogt from comment #2)
> Tumbleweed has version 2.0.22 and would need an update to 2.0.23 which
> should be relatively simple. However, I can't submit the update because I
> simply don't know how the -build.tar.xz tarball with the ant build is
> generated. It doesn't seem to be generated.

* documented on https://en.opensuse.org/openSUSE:Packaging_Java or https://en.opensuse.org/openSUSE:Maven.

(In reply to Fabian Vogt from comment #2)
> Apparently there are two CVEs, CVE-2021-27807 and CVE-2021-27906.
> 
> CVE-2021-27906 is fixed by
> https://github.com/apache/pdfbox/commit/
> 8c47be1011c11dc47300faecffd8ab32fba3646f, but I can't tell which commits are
> needed for CVE-2021-27807.
> 
> Knowing that would be necessary to figure out whether SLE is also affected,
> which means version 1.8. The code causing CVE-2021-27906 is not in 1.8 at
> least.

I can't tell either but only Factory seems affected since the advisory says its only for versions 2.0.x.

> Tumbleweed has version 2.0.22 and would need an update to 2.0.23 which
> should be relatively simple. However, I can't submit the update because I
> simply don't know how the -build.tar.xz tarball with the ant build is
> generated. It doesn't seem to be generated.

I just submitted the update to version 2.0.23 here:
   https://build.opensuse.org/request/show/884606

> In any case, I can no longer maintain this package, as I left the team
> pdfbox was packaged for years ago, so I'm looking for a new maintainer.

Regarding maintainership, I'm extremely busy right now...

(In reply to Pedro Monreal Gonzalez from comment #4)
> (In reply to Fabian Vogt from comment #2)
> > Apparently there are two CVEs, CVE-2021-27807 and CVE-2021-27906.
> > 
> > CVE-2021-27906 is fixed by
> > https://github.com/apache/pdfbox/commit/
> > 8c47be1011c11dc47300faecffd8ab32fba3646f, but I can't tell which commits are
> > needed for CVE-2021-27807.
> > 
> > Knowing that would be necessary to figure out whether SLE is also affected,
> > which means version 1.8. The code causing CVE-2021-27906 is not in 1.8 at
> > least.
> 
> I can't tell either but only Factory seems affected since the advisory says
> its only for versions 2.0.x.

They might not care about 1.8 anymore and just ignore that...

> > Tumbleweed has version 2.0.22 and would need an update to 2.0.23 which
> > should be relatively simple. However, I can't submit the update because I
> > simply don't know how the -build.tar.xz tarball with the ant build is
> > generated. It doesn't seem to be generated.
> 
> I just submitted the update to version 2.0.23 here:
>    https://build.opensuse.org/request/show/884606

How is -build.tar.xz generated? Without having that written down, only you can update this package...

> > In any case, I can no longer maintain this package, as I left the team
> > pdfbox was packaged for years ago, so I'm looking for a new maintainer.
> 
> Regarding maintainership, I'm extremely busy right now...

So am I, but I have no experience in Java (esp. Maven) packaging. I'm mostly fine with backporting the few fixes to SLE, but I don't have the necessary knowledge to deal with the Factory package, also because I don't actually use it (anymore).

Maybe the Doc team can take over maintainership? This was originally packaged for them, fontbox became a dependency of xmlgraphics-fop.

(In reply to Fabian Vogt from comment #5)
> (In reply to Pedro Monreal Gonzalez from comment #4)
> > (In reply to Fabian Vogt from comment #2)
> > > Tumbleweed has version 2.0.22 and would need an update to 2.0.23 which
> > > should be relatively simple. However, I can't submit the update because I
> > > simply don't know how the -build.tar.xz tarball with the ant build is
> > > generated. It doesn't seem to be generated.
> > 
> > I just submitted the update to version 2.0.23 here:
> >    https://build.opensuse.org/request/show/884606
> 
> How is -build.tar.xz generated? Without having that written down, only you
> can update this package...

Fridrich generated the ant build system from the maven one and tweaked the versions and paths here:
   https://build.opensuse.org/request/show/811300

I checked that the versions and paths haven't changed and I just had to update the version value in common.xml to 2.0.23 and compress again.

(In reply to Pedro Monreal Gonzalez from comment #6)
> (In reply to Fabian Vogt from comment #5)
> > (In reply to Pedro Monreal Gonzalez from comment #4)
> > > (In reply to Fabian Vogt from comment #2)
> > > > Tumbleweed has version 2.0.22 and would need an update to 2.0.23 which
> > > > should be relatively simple. However, I can't submit the update because I
> > > > simply don't know how the -build.tar.xz tarball with the ant build is
> > > > generated. It doesn't seem to be generated.
> > > 
> > > I just submitted the update to version 2.0.23 here:
> > >    https://build.opensuse.org/request/show/884606
> > 
> > How is -build.tar.xz generated? Without having that written down, only you
> > can update this package...
> 
> Fridrich generated the ant build system from the maven one and tweaked the
> versions and paths here:
>    https://build.opensuse.org/request/show/811300

How? I've never used maven before, is there a single command which spits out that tarball?

> I checked that the versions and paths haven't changed and I just had to
> update the version value in common.xml to 2.0.23 and compress again.

(In reply to Fabian Vogt from comment #7)
> (In reply to Pedro Monreal Gonzalez from comment #6)
> > (In reply to Fabian Vogt from comment #5)
> > > (In reply to Pedro Monreal Gonzalez from comment #4)
> > > > (In reply to Fabian Vogt from comment #2)
> > > > > Tumbleweed has version 2.0.22 and would need an update to 2.0.23 which
> > > > > should be relatively simple. However, I can't submit the update because I
> > > > > simply don't know how the -build.tar.xz tarball with the ant build is
> > > > > generated. It doesn't seem to be generated.
> > > > 
> > > > I just submitted the update to version 2.0.23 here:
> > > >    https://build.opensuse.org/request/show/884606
> > > 
> > > How is -build.tar.xz generated? Without having that written down, only you
> > > can update this package...
> > 
> > Fridrich generated the ant build system from the maven one and tweaked the
> > versions and paths here:
> >    https://build.opensuse.org/request/show/811300
> 
> How? I've never used maven before, is there a single command which spits out
> that tarball?

I think @Fridrich ported all the Maven stuff to build with ANT when updating from version 1 to version 2. I think he did it by hand, maybe following the build.xml files provided by version 1. But, he can give you more details about that.

> > I checked that the versions and paths haven't changed and I just had to
> > update the version value in common.xml to 2.0.23 and compress again.