-
batik (1.14-2ubuntu0.1) kinetic-security; urgency=medium
* SECURITY UPDATE: Server-Side Request Forgery
- debian/patches/CVE-2022-38398.patch: BATIK-1331: Jar url should be
blocked by DefaultExternalResourceSecurity.
- debian/patches/CVE-2022-38648.patch: BATIK-1333: Block external
resource before calling fop.
- debian/patches/CVE-2022-40146.patch: BATIK-1335: Jar url should be
blocked by DefaultScriptSecurity.
- debian/patches/CVE-2022-41704.patch: BATIK-1338: Block loading jar
inside svg.
- debian/patches/CVE-2022-42890.patch: BATIK-1345: Restrict what java
classes can be run thru rhino.
- CVE-2022-38398
- CVE-2022-38648
- CVE-2022-40146
- CVE-2022-41704
- CVE-2022-42890
-- Paulo Flabiano Smorigo <email address hidden> Tue, 23 May 2023 15:42:39 -0300
-
batik (1.14-2) unstable; urgency=medium
* Team upload
* Adding classpaths and main classes in the manifests of the built jars
(Closes: #1013281)
* Reworking debian/watch:
- Raising its version to 4
- Using secure URI
* Raising Standards version to 4.6.1 (no change)
* Refreshing d/copyright
* Getting rid of unneeded versioned dependencies in d/control
[ Andrius Merkys ]
* Remove Onkar Shinde from the uploaders list per request.
Thanks for your contributions.
-- Pierre Gruet <email address hidden> Mon, 18 Jul 2022 23:48:46 +0200
-
batik (1.14-1) unstable; urgency=medium
* Team upload.
* New upstream version 1.14 (Closes: #1000561)
Addresses CVE-2020-11987 (Closes: #984829)
* Set Rules-Requires-Root: no in debian/control
* Let java7-runtime-headless satisfy Recommends (Closes: #1000405)
* Delete patch for CVE-2109-17566; applied upstream
* Update poms; add batik-shared-resources; remove batik-test-util
* Add build-dep on libmaven-dependency-plugin-java
-- tony mancill <email address hidden> Tue, 23 Nov 2021 21:28:11 -0800