Greetings. I've been asked to check whether it is possible to backport the fixes for a couple of critical security vulnerabilities that have been reported against Batik 1.12: 1. Reported fixed in Batik 1.14 - CVE-2020-11987: improper input validation by the NodePickerPanel and 2. Reported fixed in Batik 1.13 - CVE-2019-17566: improper input validation by the "xlink:href" attributes
I tried searching through both the dev and commits mailing list archives to see if I could identify/isolate the specific changes that addressed these CVEs, but could not find any related messages based on the CVE #s above. Can anyone point me towards the changed files that provided the fixes? Thanks
