This fix in v1.8 still hasn't found its way to Maven Central. I suspect I know why. I tried downloading the source and building the maven-artifacts target. There is a directive in the build.xml file that is incompatible with the version of Ant that is included in the source distribution:
BUILD FAILED batik-1.8/build.xml:1837: The <jar> type doesn't support the "flattenattributes" attribute. According to the Ant documentation ( https://ant.apache.org/manual/Tasks/manifest.html) this attribute was introduced in Ant 1.8. The packaged Ant version in lib/build is 1.6.5. Wasn't sure if I should report this here as a "bug" or subscribe to the dev list and report it there. Jay Hartley On Mar 17, 2015, at 4:02 PM, Mark Mynsted <mmynsted_consult...@verizon.net> wrote: > Any idea when the maven repositories will get updated with 1.8? >>> On Mar 17, 2015, at 4:27 AM, Luis Bernardo <lberna...@apache.org> wrote:>> >>> >> >> -----BEGIN PGP SIGNED MESSAGE----->> Hash: SHA1>> >> >> >>> CVE-2015-0250:>> Apache Batik information disclosure >>> vulnerability>> >> >> Severity:>> Medium>> >> >> Vendor:>> >>> The Apache Software Foundation>> >> >> Versions Affected:>> Batik >>> 1.0 - 1.7>> >> >> Description:>> Files lying on the filesystem of >>> the server which uses batik can>> be revealed to arbitrary users >>> who send maliciously formed SVG>> files. The file types that can be >>> shown depend on the user context>> in which the exploitable >>> application is running. If the user is root>> a full compromise of >>> the server--including confidential or sensitive>> files--would be >>> possible.>> >> XXE can also be used to attack the availability of >>> the server>> via denial of service as the references within a xml >>> document>> can trivially trigger an amplification attack.>> >> >> >>> Mitigation:>> Users should upgrade to Batik 1.8+>> >> >> Credit:>> >>> This issue was independently reported by Nicolas Gregoire of >>> AGARRI>> (www.agarri.fr) and Kevin Schaller of ERNW >>> (www.ernw.de).>> >> References:>> >>> http://xmlgraphics.apache.org/security.html>> >> Luis Bernardo>> >> >>> -----BEGIN PGP SIGNATURE----->> Version: GnuPG v1.4.12 (Darwin)>> >> >>> iQEcBAEBAgAGBQJVB++5AAoJEIIDaYnVa18X7LUH/0c9UNsa27D+lUdH0a+ADqWm>> >>> molgIssNAw4oUmZSzm4VKRhE3poG+d0WLhL2l5HpSJDBpOXLbE3txlYuiEHWibjf>> >>> Ho1ImstDLstsF3T933Gad8eseSU2GusFIqWbjnRVxdMwqK+en4EOXfNEFysofls8>> >>> zQk//K5s3nDog2YP272IZkQjfkyvwPF3v4pSzVSnIxcod7OffIMpqvQ4lFahq8H6>> >>> cG84RhmJTQ2oo4I4v/tb+jELgZSTvN5U+owzQejwuQxYaCgyK18Rzpi3bi5TiEy5>> >>> TpH5Bq5jT7cOqG2IUNSE7W1tk1JeNP0iuxBQN+yFZK0YAXpWHP9yXUd2fe1mu3Y=>> =XBUb>> >>> -----END PGP SIGNATURE----->>
