[Bug 65166] New: Apache Batik 1.13 vulnerabilities (CVE-2020-11987, CVE-2020-11988)

classic Classic list List threaded Threaded
3 messages Options
Reply | Threaded
Open this post in threaded view
|

[Bug 65166] New: Apache Batik 1.13 vulnerabilities (CVE-2020-11987, CVE-2020-11988)

Bugzilla from bugzilla@apache.org
https://bz.apache.org/bugzilla/show_bug.cgi?id=65166

            Bug ID: 65166
           Summary: Apache Batik 1.13 vulnerabilities (CVE-2020-11987,
                    CVE-2020-11988)
           Product: POI
           Version: 5.0.0-FINAL
          Hardware: All
                OS: All
            Status: NEW
          Severity: major
          Priority: P2
         Component: POI Overall
          Assignee: [hidden email]
          Reporter: [hidden email]
  Target Milestone: ---

Apache Batik 1.13 vulnerabilities:
- CVE-2020-11987 (Apache Batik 1.13)
- CVE-2020-11988 (Apache XmlGraphics Commons 2.4)

Reviewing the repository I found that you already bump Batik from 1.13 to 1.14.

Given this reported vulnerabilities, could you make a new release with the
updated dependencies?

--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

[Bug 65166] Apache Batik 1.13 vulnerabilities (CVE-2020-11987, CVE-2020-11988)

Bugzilla from bugzilla@apache.org
https://bz.apache.org/bugzilla/show_bug.cgi?id=65166

PJ Fanning <[hidden email]> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
         Resolution|---                         |FIXED
             Status|NEW                         |RESOLVED

--- Comment #1 from PJ Fanning <[hidden email]> ---
This work is done. POI 6.0.0 (probable next release number) will be released
when it is ready.

Users can add explicit dependencies in their builds to batik 1.14 or exclude
batik transitive dependency if they don't need it (only a small number of POI
APIs need batik to work).

--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

[Bug 65166] Apache Batik 1.13 vulnerabilities (CVE-2020-11987, CVE-2020-11988)

Bugzilla from bugzilla@apache.org
In reply to this post by Bugzilla from bugzilla@apache.org
https://bz.apache.org/bugzilla/show_bug.cgi?id=65166

--- Comment #2 from Daniel Subelman <[hidden email]> ---
Thanks for the response.

--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]