Details
-
Dependency upgrade
-
Status: Closed
-
Major
-
Resolution: Fixed
-
None
-
None
-
None
Description
Upgrade to FOP 2.3 to address the security issue in Batik CVE-2018-8013
org.apache.xmlgraphics:batik-dom is a Java-based toolkit for applications or applets that want to use images in the Scalable Vector Graphics (SVG) format for various purposes, such as display, generation or manipulation.
Affected versions of this package are vulnerable to Information Exposure during deserialization. When deserializing a subclass of AbstractDocument, the class takes a string from the inputStream as the class name which then use it to call the no-arg constructor of the class.
Upgrade org.apache.xmlgraphics:batik-dom to version 1.10 or higher.
Upgrade to FontBox 2.0.12 due to CVE-2018-8036
Found with Snyk.io
Attachments
Issue Links
- supercedes
-
DOXIA-409 Upgrade to Apache FOP 2.2 (was 1.0)
- Closed