Any idea when the maven repositories will get updated with 1.8? > On Mar 17, 2015, at 4:27 AM, Luis Bernardo <[email protected]> wrote: > > > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > > CVE-2015-0250: > Apache Batik information disclosure vulnerability > > > Severity: > Medium > > > Vendor: > The Apache Software Foundation > > > Versions Affected: > Batik 1.0 - 1.7 > > > Description: > Files lying on the filesystem of the server which uses batik can > be revealed to arbitrary users who send maliciously formed SVG > files. The file types that can be shown depend on the user context > in which the exploitable application is running. If the user is root > a full compromise of the server--including confidential or sensitive > files--would be possible. > > XXE can also be used to attack the availability of the server > via denial of service as the references within a xml document > can trivially trigger an amplification attack. > > > Mitigation: > Users should upgrade to Batik 1.8+ > > > Credit: > This issue was independently reported by Nicolas Gregoire of AGARRI > (www.agarri.fr) and Kevin Schaller of ERNW (www.ernw.de). > > References: > http://xmlgraphics.apache.org/security.html > > Luis Bernardo > > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1.4.12 (Darwin) > > iQEcBAEBAgAGBQJVB++5AAoJEIIDaYnVa18X7LUH/0c9UNsa27D+lUdH0a+ADqWm > molgIssNAw4oUmZSzm4VKRhE3poG+d0WLhL2l5HpSJDBpOXLbE3txlYuiEHWibjf > Ho1ImstDLstsF3T933Gad8eseSU2GusFIqWbjnRVxdMwqK+en4EOXfNEFysofls8 > zQk//K5s3nDog2YP272IZkQjfkyvwPF3v4pSzVSnIxcod7OffIMpqvQ4lFahq8H6 > cG84RhmJTQ2oo4I4v/tb+jELgZSTvN5U+owzQejwuQxYaCgyK18Rzpi3bi5TiEy5 > TpH5Bq5jT7cOqG2IUNSE7W1tk1JeNP0iuxBQN+yFZK0YAXpWHP9yXUd2fe1mu3Y= > =XBUb > -----END PGP SIGNATURE----- >
--------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
