Security Vulnerability #18168
-
Will the fix for CVE-2024-4367 be backported to v3? (#18015) There are significantly more users on v3 compared to v41, and v4 is a major breaking change, so it likely that many people will remain on v3 and remain vulnerable to this exploit. Separately, it seems like https://github.com/mozilla/pdfjs-dist is no longer being updated. If this repo has been abandoned, could it be marked as "Archived"? Or alternatively, could a warning be added to the README? This would prevent a lot of confusion. Footnotes |
Beta Was this translation helpful? Give feedback.
Replies: 1 comment
-
No, that's unfortunately not planned. Please note that there's a bunch of manual work involved in creating releases, and the
Yes, that's unfortunately a known problem but we're not sure how/why it broke. The intention is to fix this, but it depends on issue #11851 being implemented. |
Beta Was this translation helpful? Give feedback.
No, that's unfortunately not planned. Please note that there's a bunch of manual work involved in creating releases, and the
3.x
branch has been completely unsupported for quite some time.Also, as outlined in the advisory, it's trivial to workaround the problem in older PDF.js versions simply by setting
isEvalSupported: false
in thegetDocument
-call.Yes, that's unfortunately a known problem but we're not sure how/why it broke. The intention is to fix this, but it depends on issue #11851 being implemented.
However, please note that h…