ELA-691-1 wkhtmltopdf security update

Directory traversal vulnerability

Version0.12.1-2+deb8u1 (jessie), (stretch)
Related CVEs CVE-2020-21365

Directory traversal vulnerability in wkhtmltopdf, a set of CLI utilities to convert html to pdf or image using WebKit, allows remote attackers to read local files and disclose sensitive information via a crafted html file running with the default configurations.

Do note that it’s a breaking change, in the way that the local filesystem access will be blocked by default. In case you need to enable or allow it, use --enable-local-file-access. Another option would be to use --allow <path> to specify the folder(s) from which local files are allowed to be loaded.

For Debian 8 jessie, these problems have been fixed in version 0.12.1-2+deb8u1.

For Debian 9 stretch, these problems have been fixed in version

We recommend that you upgrade your wkhtmltopdf packages.

Further information about Extended LTS security advisories can be found in the dedicated section of our website.