Skip to content

Commit

Permalink
Bug 580541 - Security vulnerabilities in jetty, equinox
Browse files Browse the repository at this point in the history 
Add notes about Batik of Apache XML graphics

Change-Id: I37003a60662cbb4571ab1d2f73ae6c60b066af92
  • Loading branch information
@ajohnson1
ajohnson1 committed Apr 10, 2023
1 parent 83e6870 commit f90a0ab
Show file tree
Hide file tree
Showing 2 changed files with 130 additions and 2 deletions.
57 changes: 56 additions & 1 deletion plugins/org.eclipse.mat.ui.help/noteworthy.dita
View file
Original file line number Diff line number Diff line change
Expand Up @@ -50,7 +50,7 @@

<section>
<title>Security fixes</title>
Memory Analyzer 1.14.0 includes the security fixes first included in Memory Analyzer 1.9.2.
Eclipse Memory Analyzer 1.14.0 includes the security fixes first included in Eclipse Memory Analyzer 1.9.2.
We recommend users of stand-alone Eclipse Memory Analyzer version 1.13.0 or earlier and
highly recommend users of Eclipse Memory Analyzer version 1.9.1 or earlier to update to version 1.14.0 or subsequent versions.
<dl>
Expand Down Expand Up @@ -176,6 +176,61 @@
</dl>
</dd>
</dlentry>
<dlentry>
<dt><xref format="html" scope="external" href="https://www.cve.org/CVERecord?id=CVE-2022-41704">CVE-2022-41704</xref></dt>
<dd>
<dl>
<dlentry>
<dt>PROBLEMTYPE</dt>
<dd>CWE-918: Server-Side Request Forgery (SSRF)</dd>
</dlentry>
<dlentry>
<dt>DESCRIPTION</dt>
<dd>A vulnerability in Batik of Apache XML Graphics allows an attacker to run untrusted Java code
from an SVG. This issue affects Apache XML Graphics prior to 1.16.
It is recommended to update to version 1.16.
</dd>
</dlentry>
<dlentry>
<dt>NOTES</dt>
<dd>Stand-alone Eclipse Memory Analyzer version 1.13 and earlier ships a version of
Batik of Apache XML Graphics subject to this CVE.
Eclipse Memory Analyzer does not directly use SVG.
Batik of Apache XML Graphics is a dependency of Eclipse E4 RCP and BIRT,
which are dependencies of Eclipse Memory Analyzer.
</dd>
</dlentry>
</dl>
</dd>
</dlentry>
<dlentry>
<dt><xref format="html" scope="external" href="https://www.cve.org/CVERecord?id=CVE-2022-42890">CVE-2022-42890</xref></dt>
<dd>
<dl>
<dlentry>
<dt>PROBLEMTYPE</dt>
<dd>CWE-918: Server-Side Request Forgery (SSRF)</dd>
</dlentry>
<dlentry>
<dt>DESCRIPTION</dt>
<dd>A vulnerability in Batik of Apache XML Graphics allows an attacker
to run Java code from untrusted SVG via JavaScript.
This issue affects Apache XML Graphics prior to 1.16.
Users are recommended to upgrade to version 1.16.
</dd>
</dlentry>
<dlentry>
<dt>NOTES</dt>
<dd>Stand-alone Eclipse Memory Analyzer version 1.13 and earlier ships a version of
Batik of Apache XML Graphics subject to this CVE.
Eclipse Memory Analyzer does not directly use SVG.
Batik of Apache XML Graphics is a dependency of Eclipse E4 RCP and BIRT,
which are dependencies of Eclipse Memory Analyzer.
</dd>
</dlentry>
</dl>
</dd>
</dlentry>
</dl>
The stand-alone Memory Analyzer 1.13.0 and later also includes security fixes from the underlying Eclipse Platform. These include fixes for the following.
<dl>
Expand Down
75 changes: 74 additions & 1 deletion plugins/org.eclipse.mat.ui.help/noteworthy.html
View file
Original file line number Diff line number Diff line change
Expand Up @@ -49,7 +49,7 @@ <h1 class="title topictitle1" id="ariaid-title1">New and Noteworthy</h1>

<div class="section"><h2 class="title sectiontitle">Security fixes</h2>

Memory Analyzer 1.14.0 includes the security fixes first included in Memory Analyzer 1.9.2.
Eclipse Memory Analyzer 1.14.0 includes the security fixes first included in Eclipse Memory Analyzer 1.9.2.
We recommend users of stand-alone Eclipse Memory Analyzer version 1.13.0 or earlier and
highly recommend users of Eclipse Memory Analyzer version 1.9.1 or earlier to update to version 1.14.0 or subsequent versions.
<dl class="dl">
Expand Down Expand Up @@ -221,6 +221,79 @@ <h1 class="title topictitle1" id="ariaid-title1">New and Noteworthy</h1>
</dd>



<dt class="dt dlterm"><a class="xref" href="https://www.cve.org/CVERecord?id=CVE-2022-41704" target="_blank">CVE-2022-41704</a></dt>

<dd class="dd">
<dl class="dl">

<dt class="dt dlterm">PROBLEMTYPE</dt>

<dd class="dd">CWE-918: Server-Side Request Forgery (SSRF)</dd>



<dt class="dt dlterm">DESCRIPTION</dt>

<dd class="dd">A vulnerability in Batik of Apache XML Graphics allows an attacker to run untrusted Java code
from an SVG. This issue affects Apache XML Graphics prior to 1.16.
It is recommended to update to version 1.16.
</dd>



<dt class="dt dlterm">NOTES</dt>

<dd class="dd">Stand-alone Eclipse Memory Analyzer version 1.13 and earlier ships a version of
Batik of Apache XML Graphics subject to this CVE.
Eclipse Memory Analyzer does not directly use SVG.
Batik of Apache XML Graphics is a dependency of Eclipse E4 RCP and BIRT,
which are dependencies of Eclipse Memory Analyzer.
</dd>


</dl>

</dd>



<dt class="dt dlterm"><a class="xref" href="https://www.cve.org/CVERecord?id=CVE-2022-42890" target="_blank">CVE-2022-42890</a></dt>

<dd class="dd">
<dl class="dl">

<dt class="dt dlterm">PROBLEMTYPE</dt>

<dd class="dd">CWE-918: Server-Side Request Forgery (SSRF)</dd>



<dt class="dt dlterm">DESCRIPTION</dt>

<dd class="dd">A vulnerability in Batik of Apache XML Graphics allows an attacker
to run Java code from untrusted SVG via JavaScript.
This issue affects Apache XML Graphics prior to 1.16.
Users are recommended to upgrade to version 1.16.
</dd>



<dt class="dt dlterm">NOTES</dt>

<dd class="dd">Stand-alone Eclipse Memory Analyzer version 1.13 and earlier ships a version of
Batik of Apache XML Graphics subject to this CVE.
Eclipse Memory Analyzer does not directly use SVG.
Batik of Apache XML Graphics is a dependency of Eclipse E4 RCP and BIRT,
which are dependencies of Eclipse Memory Analyzer.
</dd>


</dl>

</dd>


</dl>

The stand-alone Memory Analyzer 1.13.0 and later also includes security fixes from the underlying Eclipse Platform. These include fixes for the following.
Expand Down

0 comments on commit f90a0ab

Please sign in to comment.