Uploaded image for project: 'Maven Doxia'
  1. Maven Doxia
  2. DOXIA-593

Upgrade to Apache FOP 2.3

    XMLWordPrintableJSON

    Details

    • Type: Dependency upgrade
    • Status: Closed
    • Priority: Major
    • Resolution: Fixed
    • Affects Version/s: None
    • Fix Version/s: 1.9
    • Component/s: None
    • Labels:
      None

      Description

      Upgrade to FOP 2.3 to address the security issue in Batik CVE-2018-8013 

      org.apache.xmlgraphics:batik-dom is a Java-based toolkit for applications or applets that want to use images in the Scalable Vector Graphics (SVG) format for various purposes, such as display, generation or manipulation.

      Affected versions of this package are vulnerable to Information Exposure during deserialization. When deserializing a subclass of AbstractDocument, the class takes a string from the inputStream as the class name which then use it to call the no-arg constructor of the class.

      Upgrade org.apache.xmlgraphics:batik-dom to version 1.10 or higher.

      Upgrade to FontBox 2.0.12 due to CVE-2018-8036 

      Found with Snyk.io

        Attachments

          Issue Links

            Activity

              People

              • Assignee:
                slachiewicz Sylwester Lachiewicz
                Reporter:
                slachiewicz Sylwester Lachiewicz
              • Votes:
                0 Vote for this issue
                Watchers:
                1 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved: