Fedora has issued an advisory today (March 29):
The issue is fixed upstream in 1.1.2.
Mageia 6 is also affected.
Fixed upstream in 1.1.2
Fixed both mga6 and cauldron!
Updated svgsalamander package fixes security vulnerability:
A vulnerability was found in the svgsalamander library. If the library is being
used in a web application for processing user supplied SVG files then the app
is vulnerable to SSRF (CVE-2017-5617).
Updated packages in core/updates_testing:
MGA6-32 MATE on IBM Thinkpad R50e
No installation issues
Tried to find some testcase, but all I find delves too deep for me in Java.
# urpmq --whatrequires svgsalamander
So installed josm, but when I try to use it from the CLI it first throws pages of errors, finally starts up, but loading any of the maps available from the menu just results in a black screen even after 20 min.
Of course in such case, there are no refs to svgsalamander in the trace.
Clean install is all I get at the moment.
Clean install and upgrade are sufficient.
OK, will be done.
Installed and tested without issue.
System: Mageia 6, x86_64, Plasma DE, LXQt DE, Intel CPU, nVidia GPU using nvidia340 proprietary driver.
Tested using josm. There were some error messages when starting josm but nothing related to svgsalamander.
$ uname -a
Linux marte 4.14.106-desktop-1.mga6 #1 SMP Thu Mar 14 18:01:29 UTC 2019 x86_64 x86_64 x86_64 GNU/Linux
Validating. Advisory in Comment 2
An update for this issue has been pushed to the Mageia Updates repository.