-
Notifications
You must be signed in to change notification settings - Fork 91
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Batik-css-1.8 has high severity vulnerability #13
Comments
Would help a lot!
…On Tue, Aug 8, 2017 at 2:53 PM, tw-mcummings ***@***.***> wrote:
Hello,
Using antisamy causes batik-css-1.8.jar to be include as a run-time
dependency. There is a high severity CVE against this library:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5662.
batik-1.9 was recently release which fixes this issue. Any chance we could
get a new version of antisamy with this instead of 1.8? I could do a pull
request if you like.
Thanks!
—
You are receiving this because you are subscribed to this thread.
Reply to this email directly, view it on GitHub
<#13>, or mute the thread
<https://github.com/notifications/unsubscribe-auth/AA3o-rUgYZGW595CLzkWKcW4V5bJWX4Fks5sWLydgaJpZM4OxNf6>
.
|
Hello nahsra, I've submitted the pull request to update the batik library. Do you think you'll have time to review it soon? |
Thanks for the PR! Merged. |
Great, thanks! Any plans for a new release of antisamy with this fix in it? I believe it would be 1.5.7. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Hello,
Using antisamy causes batik-css-1.8.jar to be include as a run-time dependency. There is a high severity CVE against this library: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5662.
batik-1.9 was recently release which fixes this issue. Any chance we could get a new version of antisamy with this instead of 1.8? I could do a pull request if you like.
Thanks!
The text was updated successfully, but these errors were encountered: