Source: fop Version: 1:1.0.dfsg-1 Severity: important Tags: upstream security
Hi, the following vulnerability was published for fop. CVE-2017-5661: | In Apache FOP before 2.2, files lying on the filesystem of the server | which uses FOP can be revealed to arbitrary users who send maliciously | formed SVG files. The file types that can be shown depend on the user | context in which the exploitable application is running. If the user | is root a full compromise of the server - including confidential or | sensitive files - would be possible. XXE can also be used to attack | the availability of the server via denial of service as the references | within a xml document can trivially trigger an amplification attack. I was not able to verify that myself, but it is claimed to affect all fop version from 1.0 up to 2.1. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see:  https://security-tracker.debian.org/tracker/CVE-2017-5661 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5661  http://www.openwall.com/lists/oss-security/2017/04/18/2 Regards, Salvatore __ This is the maintainer address of Debian's Java team <http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-java-maintainers>. Please use debian-j...@lists.debian.org for discussions and questions.