Minor update to libsvgsalamander-java
for svgSalamander 1.1.2, a fix for CVE-2017-5617  (#853134) was
upstreamed by Vincent Privat.
However, upstream included the patch modified , with a flag in the
"global data object" SVGUniverse, with the default being "allow it":
> private boolean imageDataInlineOnly = false;
I wonder whether this is good (enough) for Debian (and the rest of the
world), since we would need to make sure that this is set to true:
SVGUniverse svgUniverse = new SVGUniverse();
in all projects using svgSalamander (which does not seem to be much for
$ apt-cache rdepends libsvgsalamander-java
If we agree, then I will create an upstream issue.
Also, is there value in updating svgSalamander from 1.1.1 to 1.1.2?
(I fixed a bug triggered in Freeplane in upstream, but Freeplane contains a
workaround). I can offer to do this, if we have an agreement for the
Cheers and Best Regards,