Bug 65166 - Apache Batik 1.13 vulnerabilities (CVE-2020-11987, CVE-2020-11988)
Summary: Apache Batik 1.13 vulnerabilities (CVE-2020-11987, CVE-2020-11988)
Alias: None
Product: POI
Classification: Unclassified
Component: POI Overall (show other bugs)
Version: 5.0.0-FINAL
Hardware: All All
: P2 major (vote)
Target Milestone: ---
Assignee: POI Developers List
Depends on:
Reported: 2021-03-04 22:46 UTC by Daniel Subelman
Modified: 2021-03-08 17:55 UTC (History)
0 users


Note You need to log in before you can comment on or make changes to this bug.
Description Daniel Subelman 2021-03-04 22:46:06 UTC
Apache Batik 1.13 vulnerabilities: 
- CVE-2020-11987 (Apache Batik 1.13)
- CVE-2020-11988 (Apache XmlGraphics Commons 2.4)

Reviewing the repository I found that you already bump Batik from 1.13 to 1.14.

Given this reported vulnerabilities, could you make a new release with the updated dependencies?
Comment 1 PJ Fanning 2021-03-08 15:55:11 UTC
This work is done. POI 6.0.0 (probable next release number) will be released when it is ready.

Users can add explicit dependencies in their builds to batik 1.14 or exclude batik transitive dependency if they don't need it (only a small number of POI APIs need batik to work).
Comment 2 Daniel Subelman 2021-03-08 17:55:58 UTC
Thanks for the response.