Uploaded image for project: 'Maven Doxia'
  1. Maven Doxia
  2. DOXIA-593

Upgrade to Apache FOP 2.3

Attach filesAttach ScreenshotVotersWatch issueWatchersCreate sub-taskLinkCloneUpdate Comment AuthorReplace String in CommentUpdate Comment VisibilityDelete Comments
    XMLWordPrintableJSON

    Details

    • Type: Dependency upgrade
    • Status: Closed
    • Priority: Major
    • Resolution: Fixed
    • Affects Version/s: None
    • Fix Version/s: 1.9
    • Component/s: None
    • Labels:
      None

      Description

      Upgrade to FOP 2.3 to address the security issue in Batik CVE-2018-8013 

      org.apache.xmlgraphics:batik-dom is a Java-based toolkit for applications or applets that want to use images in the Scalable Vector Graphics (SVG) format for various purposes, such as display, generation or manipulation.

      Affected versions of this package are vulnerable to Information Exposure during deserialization. When deserializing a subclass of AbstractDocument, the class takes a string from the inputStream as the class name which then use it to call the no-arg constructor of the class.

      Upgrade org.apache.xmlgraphics:batik-dom to version 1.10 or higher.

      Upgrade to FontBox 2.0.12 due to CVE-2018-8036 

      Found with Snyk.io

        Attachments

        Issue Links

          Activity

            People

            • Assignee:
              slachiewicz Sylwester Lachiewicz
              Reporter:
              slachiewicz Sylwester Lachiewicz

              Dates

              • Created:
                Updated:
                Resolved:

                Issue deployment