Debian 10267 Published by

A batik security update has been released for Debian GNU/Linux 8 Extended LTS to address an issue where the Apache Batik library can be made to perform arbitrary GET requests via xlink:href attributes on SVG files.



ELA-237-1 batik security update

Package batik
Version 1.7+dfsg-5+deb8u2
Related CVE CVE-2019-17566

The Apache Batik library can be made to perform arbitrary GET requests via xlink:href attributes on SVG files. Since there can be legitimate use cases for xlink:href attributes, this update introduces a new option, -blockExternalResources, that can be used to prevent fetching external resources.

For Debian 8 Jessie, these problems have been fixed in version 1.7+dfsg-5+deb8u2.

We recommend that you upgrade your batik packages.

Further information about Extended LTS security advisories can be found at: https://deb.freexian.com/extended-lts/

  ELA-237-1 batik security update