65166 – Apache Batik 1.13 vulnerabilities (CVE-2020-11987, CVE-2020-11988)

Bug 65166 - Apache Batik 1.13 vulnerabilities (CVE-2020-11987, CVE-2020-11988)

Summary: Apache Batik 1.13 vulnerabilities (CVE-2020-11987, CVE-2020-11988)

Status:	RESOLVED FIXED

Alias:	None

Product:	POI
Classification:	Unclassified
Component:	POI Overall (show other bugs)
Version:	5.0.0-FINAL
Hardware:	All All

Importance:	P2 major (vote)
Target Milestone:	---
Assignee:	POI Developers List

URL:
Keywords:

Depends on:
Blocks:

Reported:	2021-03-04 22:46 UTC by Daniel Subelman
Modified:	2021-03-08 17:55 UTC (History)
CC List:	0 users

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Daniel Subelman 2021-03-04 22:46:06 UTC

Apache Batik 1.13 vulnerabilities: 
- CVE-2020-11987 (Apache Batik 1.13)
- CVE-2020-11988 (Apache XmlGraphics Commons 2.4)

Reviewing the repository I found that you already bump Batik from 1.13 to 1.14.

Given this reported vulnerabilities, could you make a new release with the updated dependencies?

Comment 1 PJ Fanning 2021-03-08 15:55:11 UTC

This work is done. POI 6.0.0 (probable next release number) will be released when it is ready.

Users can add explicit dependencies in their builds to batik 1.14 or exclude batik transitive dependency if they don't need it (only a small number of POI APIs need batik to work).

Comment 2 Daniel Subelman 2021-03-08 17:55:58 UTC

Thanks for the response.