A batik security update has been released for Debian GNU/Linux 8 Extended LTS to address an issue where the Apache Batik library can be made to perform arbitrary GET requests via xlink:href attributes on SVG files.
ELA-237-1 batik security update
Package batik
ELA-237-1 batik security update
Version 1.7+dfsg-5+deb8u2
Related CVE CVE-2019-17566
The Apache Batik library can be made to perform arbitrary GET requests via xlink:href attributes on SVG files. Since there can be legitimate use cases for xlink:href attributes, this update introduces a new option, -blockExternalResources, that can be used to prevent fetching external resources.
For Debian 8 Jessie, these problems have been fixed in version 1.7+dfsg-5+deb8u2.
We recommend that you upgrade your batik packages.
Further information about Extended LTS security advisories can be found at: https://deb.freexian.com/extended-lts/
