UbuntuUpdates.org

Package "batik"

Name: batik

Description:

This package is just an umbrella for a group of other packages, it has no description.
Description samples from packages in group:

  • xml.apache.org SVG Library

Latest version: 1.12-1ubuntu0.1
Release: focal (20.04)
Level: updates
Repository: universe

Links



Other versions of "batik" in Focal

Repository Area Version
base universe 1.12-1
security universe 1.12-1ubuntu0.1

Packages in group

Deleted packages are displayed in grey.


Changelog

Version: 1.12-1ubuntu0.1 2023-05-27 23:07:01 UTC

  batik (1.12-1ubuntu0.1) focal-security; urgency=medium

  * SECURITY UPDATE: Server-Side Request Forgery
    - debian/patches/CVE-2019-17566.patch: BATIK-1276: Allow blocking of
      external resources.
    - debian/patches/CVE-2020-11987.patch: BATIK-1284: Dont load DTDs in
      NodePickerPanel.
    - debian/patches/CVE-2022-38398.patch: BATIK-1331: Jar url should be
      blocked by DefaultExternalResourceSecurity.
    - debian/patches/CVE-2022-38648.patch: BATIK-1333: Block external
      resource before calling fop.
    - debian/patches/CVE-2022-40146.patch: BATIK-1335: Jar url should be
      blocked by DefaultScriptSecurity.
    - debian/patches/CVE-2022-41704.patch: BATIK-1338: Block loading jar
      inside svg.
    - debian/patches/CVE-2022-42890.patch: BATIK-1345: Restrict what java
      classes can be run thru rhino.
    - CVE-2019-17566
    - CVE-2020-11987
    - CVE-2022-38398
    - CVE-2022-38648
    - CVE-2022-40146
    - CVE-2022-41704
    - CVE-2022-42890

 -- Paulo Flabiano Smorigo <email address hidden> Tue, 23 May 2023 15:47:40 -0300

CVE-2019-17566 Apache Batik is vulnerable to server-side request forgery, caused by improper input validation by the "xlink:href" attributes. By using a specially-c
CVE-2020-11987 Apache Batik 1.13 is vulnerable to server-side request forgery, caused by improper input validation by the NodePickerPanel. By using a specially-craf
CVE-2022-38398 Server-Side Request Forgery (SSRF) vulnerability in Batik of Apache XML Graphics allows an attacker to load a url thru the jar protocol. This issue a
CVE-2022-38648 Server-Side Request Forgery (SSRF) vulnerability in Batik of Apache XML Graphics allows an attacker to fetch external resources. This issue affects A
CVE-2022-40146 Server-Side Request Forgery (SSRF) vulnerability in Batik of Apache XML Graphics allows an attacker to access files using a Jar url. This issue affec
CVE-2022-41704 A vulnerability in Batik of Apache XML Graphics allows an attacker to run untrusted Java code from an SVG. This issue affects Apache XML Graphics pri
CVE-2022-42890 A vulnerability in Batik of Apache XML Graphics allows an attacker to run Java code from untrusted SVG via JavaScript. This issue affects Apache XML



About   -   Send Feedback to @ubuntu_updates