Batik-css-1.8 has high severity vulnerability #13
Comments
|
Would help a lot!
…On Tue, Aug 8, 2017 at 2:53 PM, tw-mcummings ***@***.***> wrote:
Hello,
Using antisamy causes batik-css-1.8.jar to be include as a run-time
dependency. There is a high severity CVE against this library:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5662.
batik-1.9 was recently release which fixes this issue. Any chance we could
get a new version of antisamy with this instead of 1.8? I could do a pull
request if you like.
Thanks!
—
You are receiving this because you are subscribed to this thread.
Reply to this email directly, view it on GitHub
<#13>, or mute the thread
<https://github.com/notifications/unsubscribe-auth/AA3o-rUgYZGW595CLzkWKcW4V5bJWX4Fks5sWLydgaJpZM4OxNf6>
.
|
|
Hello nahsra, I've submitted the pull request to update the batik library. Do you think you'll have time to review it soon? |
|
Thanks for the PR! Merged. |
|
Great, thanks! Any plans for a new release of antisamy with this fix in it? I believe it would be 1.5.7. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Hello,
Using antisamy causes batik-css-1.8.jar to be include as a run-time dependency. There is a high severity CVE against this library: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5662.
batik-1.9 was recently release which fixes this issue. Any chance we could get a new version of antisamy with this instead of 1.8? I could do a pull request if you like.
Thanks!
The text was updated successfully, but these errors were encountered: