UbuntuUpdates.org

Package "batik"

Name: batik

Description:

This package is just an umbrella for a group of other packages, it has no description.
Description samples from packages in group:

  • xml.apache.org SVG Library
Latest version: 1.10-2~18.04.1
Release: bionic (18.04)
Level: updates
Repository: universe

Links

All versions of this package
Bug fixes

List of files in package
Repository home page

Other versions of "batik" in Bionic

Repository Area Version
base universe 1.9-3
security universe 1.10-2~18.04.1
proposed universe 1.10-2~18.04

Packages in group

Deleted packages are displayed in grey.


Changelog

Version: 1.10-2~18.04.1 2023-05-27 23:06:59 UTC

  batik (1.10-2~18.04.1) bionic-security; urgency=medium

  * SECURITY UPDATE: Server-Side Request Forgery
    - debian/patches/CVE-2019-17566.patch: BATIK-1276: Allow blocking of
      external resources.
    - debian/patches/CVE-2020-11987.patch: BATIK-1284: Dont load DTDs in
      NodePickerPanel.
    - debian/patches/CVE-2022-38398.patch: BATIK-1331: Jar url should be
      blocked by DefaultExternalResourceSecurity.
    - debian/patches/CVE-2022-38648.patch: BATIK-1333: Block external
      resource before calling fop.
    - debian/patches/CVE-2022-40146.patch: BATIK-1335: Jar url should be
      blocked by DefaultScriptSecurity.
    - debian/patches/CVE-2022-41704.patch: BATIK-1338: Block loading jar
      inside svg.
    - debian/patches/CVE-2022-42890.patch: BATIK-1345: Restrict what java
      classes can be run thru rhino.
    - CVE-2019-17566
    - CVE-2020-11987
    - CVE-2022-38398
    - CVE-2022-38648
    - CVE-2022-40146
    - CVE-2022-41704
    - CVE-2022-42890

 -- Paulo Flabiano Smorigo <email address hidden> Mon, 22 May 2023 17:34:34 -0300
Source diff to previous version
CVE-2019-17566 Apache Batik is vulnerable to server-side request forgery, caused by improper input validation by the "xlink:href" attributes. By using a specially-c
CVE-2020-11987 Apache Batik 1.13 is vulnerable to server-side request forgery, caused by improper input validation by the NodePickerPanel. By using a specially-craf
CVE-2022-38398 Server-Side Request Forgery (SSRF) vulnerability in Batik of Apache XML Graphics allows an attacker to load a url thru the jar protocol. This issue a
CVE-2022-38648 Server-Side Request Forgery (SSRF) vulnerability in Batik of Apache XML Graphics allows an attacker to fetch external resources. This issue affects A
CVE-2022-40146 Server-Side Request Forgery (SSRF) vulnerability in Batik of Apache XML Graphics allows an attacker to access files using a Jar url. This issue affec
CVE-2022-41704 A vulnerability in Batik of Apache XML Graphics allows an attacker to run untrusted Java code from an SVG. This issue affects Apache XML Graphics pri
CVE-2022-42890 A vulnerability in Batik of Apache XML Graphics allows an attacker to run Java code from untrusted SVG via JavaScript. This issue affects Apache XML

Version: 1.10-2~18.04 2019-04-16 18:07:29 UTC

  batik (1.10-2~18.04) bionic; urgency=medium

  * Backport for OpenJDK 11. LP: #1814133.


About   -   Send Feedback to @ubuntu_updates