-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 - ------------------------------------------------------------------------- Debian LTS Advisory DLA-3619-1 debian-...@lists.debian.org https://www.debian.org/lts/security/ Bastien Roucariès October 14, 2023 https://wiki.debian.org/LTS - -------------------------------------------------------------------------
Package : batik Version : 1.10-2+deb10u3 CVE ID : CVE-2020-11987 CVE-2022-38398 CVE-2022-38648 CVE-2022-40146 CVE-2022-44729 CVE-2022-44730 Debian Bug : 984829 1020589 Batik is a toolkit for applications or applets that want to use images in the Scalable Vector Graphics (SVG) format for various purposes, such as viewing, generation or manipulation. CVE-2020-11987 A server-side request forgery was found, caused by improper input validation by the NodePickerPanel. By using a specially-crafted argument, an attacker could exploit this vulnerability to cause the underlying server to make arbitrary GET requests. CVE-2022-38398 A Server-Side Request Forgery (SSRF) vulnerability was found that allows an attacker to load a url thru the jar protocol. CVE-2022-38648 A Server-Side Request Forgery (SSRF) vulnerability was found that allows an attacker to fetch external resources. CVE-2022-40146 A Server-Side Request Forgery (SSRF) vulnerability was found that allows an attacker to access files using a Jar url. CVE-2022-44729 A Server-Side Request Forgery (SSRF) vulnerability was found. A malicious SVG could trigger loading external resources by default, causing resource consumption or in some cases even information disclosure. CVE-2022-44730 A Server-Side Request Forgery (SSRF) vulnerability was found. A malicious SVG can probe user profile / data and send it directly as parameter to a URL. For Debian 10 buster, these problems have been fixed in version 1.10-2+deb10u3. We recommend that you upgrade your batik packages. For the detailed security status of batik please refer to its security tracker page at: https://security-tracker.debian.org/tracker/batik Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS -----BEGIN PGP SIGNATURE----- iQJFBAEBCgAvFiEEXQGHuUCiRbrXsPVqADoaLapBCF8FAmUrE0ERHHJvdWNhQGRl Ymlhbi5vcmcACgkQADoaLapBCF+jPBAAoGJQVypyEvJZ8cJ07DbLV7+VyU8CrFf5 ekeaV3kO+EQ4WlxP/q6aCLIyvV8FyVO3NrlTND6MwS85chhCmamtEuWV1fCgb9e3 cWPfZ6T1Hq4fjkMwotPC9kqJtgVuLfOU/YVMLrJ4Ndvqktb779WNhqvsZSDj/T5L pH5A53oxBF0Vv/BRD9qfztF9GJzvkQoUjFK9PjoiYGt6JsUuq3ntOjoGYghemqoa 9TTsb7M28TI5y26o79xRltdnQxRf077eE30mHVKEUHeD8btoe+82QljvapuXcLsV 2MEWvk4aCXRs84/fbMVnXco0VFgJdLK85CMDxVANTMX7kCEI1YU+XlYdsZVC/jX9 0ETgB9s/waFRYS24mxp0V1atfRdanm+XPX1hH+S1YLU6mt451f5h//PGNT3Jpu2K NcNRb99PkoKIGbFdj6qNLZhrh28IWhPjnKjhmPTVLlWbqnByBIGPxGWHHHecah2K AksDM67vNuDojr/JQo4K3PCfwpHQi1AfYP9OZdavLq1BCZC1oHCtQZzQ7ygclikx HR0QKKqXD3kpis623KW61cXVUVk3QVaSpDikPAdv92iPIDe0+TfeAVyQB354d2q4 ITVTZXBnEZ0lUXvL7B+dXlDWL9adNVl20bV6VsMqwFX7oWbSdwu3C/DAsmzeYUyO lm3oMe+nric= =596v -----END PGP SIGNATURE-----