Hi, I am maintaining some software that currently uses Batik 1.7 and fop 0.95 (I know!). Because of the security problem CVE-2015-0250 (https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-0250) the customer wants us to upgrade Batik to 1.8. But 1.8 suffers from https://issues.apache.org/jira/browse/BATIK-1125 and https://issues.apache.org/jira/browse/BATIK-1111.
Actually, that may be only in the versions uploaded to Maven, but they are biting me in any case. There are simple SVG files that Batik 1.8 from the mvn repo doesn't work on. It looks to me like Batik 1.7.1 would be perfect for me. The Batik downloads page says "Note that the only change between versions 1.7.1 and 1.7 and between versions 1.6.1 and 1.6 is the security fix for the XXE vulnerability CVE-2015-0250" which would be great. Unfortunately, I can't find any version of 1.7.1 on any Maven repo. I suppose that it is possible to download 1.7.1 by hand, then extract the jars I need, then figure out how to get them into my project, but the mvn-type dependency resolution is so nice. So, does anyone know where I can find 1.7.1 on a mvn repo (or is able to upload a new one)? Or, is there an updated 1.8 somewhere that doesn't have the problems in the current 1.8? Or, should I be emailing another email list? Is this more appropriate to the developers' list? Thanks, Michael --------------------------------------------------------------------- To unsubscribe, e-mail: batik-users-unsubscr...@xmlgraphics.apache.org For additional commands, e-mail: batik-users-h...@xmlgraphics.apache.org