Apache has issued an advisory on February 24: https://www.openwall.com/lists/oss-security/2021/02/24/2 The issue is fixed upstream in 1.14: https://xmlgraphics.apache.org/security.html Mageia 7 and Mageia 8 are also affected.
Status comment: (none) => Fixed upstream in 1.14Whiteboard: (none) => MGA8TOO, MGA7TOO
fixed in cauldron/mga8 src: - batik-1.14-1.mga8 not yet fixed for mga 7
Assignee: java => bugsquadCC: (none) => mageiaWhiteboard: MGA8TOO, MGA7TOO => MGA7TOOVersion: Cauldron => 8
Assignee: bugsquad => java
Blocks: (none) => 28479
Blocks: (none) => 28491
i cloned this bugreport for tracking this in mageia 7.
Status comment: Fixed upstream in 1.14 => (none)Assignee: java => qa-bugsWhiteboard: MGA7TOO => (none)
the new rpm i just uploaded fixes ( tries at least ) bug: https://bugs.mageia.org/show_bug.cgi?id=28479
Package list: batik-css-1.14-1.1.mga8 batik-util-1.14-1.1.mga8 batik-svgpp-1.14-1.1.mga8 batik-slideshow-1.14-1.1.mga8 batik-rasterizer-1.14-1.1.mga8 batik-squiggle-1.14-1.1.mga8 batik-ttf2svg-1.14-1.1.mga8 batik-1.14-1.1.mga8 batik-demo-1.14-1.1.mga8 batik-javadoc-1.14-1.1.mga8
Advisory: ======================== Updated batik packages fix security vulnerability: The Apache Batik library is vulnerable to SSRF via the NodePickerPanel that allow an attacker to cause the underlying server to make arbitrary GET requests (CVE-2020-11987). References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-11987 https://www.openwall.com/lists/oss-security/2021/02/24/2 https://xmlgraphics.apache.org/security.html
mga8, X86_64 `locate batik` returns 5741 references /usr/share/batik/samples/samples/tests contains SVG files and other things https://xmlgraphics.apache.org/batik/using/ This is more than a toolkit for manipulating SVG format images but going any further than that requires too much time for a non-user. $ urpmq --whatrequires batik batik-demo batik-rasterizer batik-slideshow batik-squiggle batik-svgpp batik-ttf2svg fop publican Information about FOP: https://xmlgraphics.apache.org/fop/2.6/output.html A quick look at that shows that fop is very specialized and beyond our scope because it requires too much prior knowledge. The cli examples require data files to be prepared. batik-slideshow has a website: https://mvnrepository.com/artifact/batik/batik-slideshow and a pointer to a book: https://www.amazon.com/Java-Drawing-Apache-Batik-Tutorial/dp/..... publican again requires a course of instruction:. https://jfearn.fedorapeople.org/en-US/Publican/4.0/html/Users_Guide/pref-Publican-Users_Guide-Introduction.html <quote> Publican is a tool for publishing material authored in DocBook XML. This guide explains how to create and build books and articles using Publican. It is not a general DocBook XML tutorial; refer to DocBook: The Definitive Guide by Norman Walsh and Leonard Muellner, available at http://www.docbook.org/tdg/en/html/docbook.html for more general help with DocBook XML. </quote> Admitting defeat and going for a clean install. .... Preparing... ############################################# 1/9: batik-util ############################################# 2/9: batik-css ############################################# 3/9: batik ############################################# 4/9: batik-demo ############################################# 5/9: batik-ttf2svg ############################################# 6/9: batik-squiggle ############################################# 7/9: batik-rasterizer ############################################# 8/9: batik-slideshow ############################################# 9/9: batik-svgpp ############################################# Yep, that's fine.
Whiteboard: (none) => MGA7TOO MGA8-64-OKCC: (none) => tarazed25
This bug involves MGA7 as well as MGA8, and was sent to QA as such. I don't see anything here about any MGA7 packages being ready, but decided to try, anyway. However, qarepo reports no packages in MGA7 updates_testing that fit the "batik*" search term. So, how to proceed? Bug 28479 is also waiting for an OK from QA, but that can't happen until this bug is taken care of.
CC: (none) => andrewsfarm
Mageia 7 got moved to Bug 28491.
Whiteboard: MGA7TOO MGA8-64-OK => MGA8-64-OK
OK then, validating this one. Advisory in Comment 5.
CC: (none) => sysadmin-bugsKeywords: (none) => validated_update
*** Bug 28491 has been marked as a duplicate of this bug. ***
Blocks: (none) => 26800
Advisory pushed to SVN.
Keywords: (none) => advisoryCVE: (none) => CVE-2020-11987CC: (none) => ouaurelien
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2021-0139.html
Status: NEW => RESOLVEDResolution: (none) => FIXED
Fedora has issued an advisory for this on March 19: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/W7EAYO5XIHD6OIEA3HPK64UDDBSLNAC5/