Bug#1050537: bookworm-pu: package batik/1.16+dfsg-1+deb12u1

To: Pierre Gruet <pgt@debian.org>, 1050537@bugs.debian.org
Subject: Bug#1050537: bookworm-pu: package batik/1.16+dfsg-1+deb12u1
From: "Adam D. Barratt" <adam@adam-barratt.org.uk>
Date: Sat, 23 Sep 2023 21:32:42 +0100
Message-id: <[🔎] 2dbdfc172ec9eacc62c52e33be855a4daf4fa012.camel@adam-barratt.org.uk>
Reply-to: "Adam D. Barratt" <adam@adam-barratt.org.uk>, 1050537@bugs.debian.org
In-reply-to: <169299520530.1545202.18422244302357297439.reportbug@mendelssohn>
References: <169299520530.1545202.18422244302357297439.reportbug@mendelssohn> <169299520530.1545202.18422244302357297439.reportbug@mendelssohn>

Control: tags -1 confirmed

On Fri, 2023-08-25 at 22:26 +0200, Pierre Gruet wrote:
> CVE-2022-44729 and CVE-2022-44730 have been filed against batik. They
> are fixed
> in sid (and soon trixie). I discussed with Security team, they said a
> DSA is
> not needed but suggested to fix the CVE in bookworm in a point
> release.
> 
> The two CVE are corrected by backporting upstream changes.
> 
> [ Impact ]
> The two CVE would remain:
> ``A malicious SVG can probe user profile / data and send it directly
> as
> parameter to a URL.''
> and
> ``A malicious SVG could trigger loading external resources by
> default, causing
> resource consumption or in some cases even information disclosure.''
> 

Please go ahead.

Regards,

Adam

Reply to:

Prev by Date: Processed: Re: Bug#1052479: bookworm-pu: package lxc/1:5.0.2-1+deb12u1
Next by Date: Processed: Re: Bug#1050537: bookworm-pu: package batik/1.16+dfsg-1+deb12u1
Previous by thread: Processed: closing 1051099
Next by thread: Processed: Re: Bug#1050537: bookworm-pu: package batik/1.16+dfsg-1+deb12u1
Index(es):
- Date
- Thread