Debian 9810 Published by

A php-dompdf security update has been released for Debian GNU/Linux 10 LTS to address multiple vulnerabilities.

[SECURITY] [DLA 3495-1] php-dompdf security update

- -------------------------------------------------------------------------
Debian LTS Advisory DLA-3495-1 Bastien Roucariès
July 13, 2023
- -------------------------------------------------------------------------

Package : php-dompdf
Version : 0.6.2+dfsg-3+deb10u1
CVE ID : CVE-2021-3838 CVE-2022-2400
Debian Bug : #1015874

Multiple vulnerabilies were fixed in php-dompdf a CSS 2.1 compliant HTML
to PDF converter, written in PHP.


php-dompdf was vulnerable to deserialization of Untrusted Data using
PHAR deserialization (phar://) as url for image.


php-dompdf was vulnerable to External Control of File Name bypassing
unallowed access verification.

For Debian 10 buster, these problems have been fixed in version

We recommend that you upgrade your php-dompdf packages.

For the detailed security status of php-dompdf please refer to
its security tracker page at:

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: