Control: tags -1 confirmed On Fri, 2023-08-25 at 22:26 +0200, Pierre Gruet wrote: > CVE-2022-44729 and CVE-2022-44730 have been filed against batik. They > are fixed > in sid (and soon trixie). I discussed with Security team, they said a > DSA is > not needed but suggested to fix the CVE in bookworm in a point > release. > > The two CVE are corrected by backporting upstream changes. > > [ Impact ] > The two CVE would remain: > ``A malicious SVG can probe user profile / data and send it directly > as > parameter to a URL.'' > and > ``A malicious SVG could trigger loading external resources by > default, causing > resource consumption or in some cases even information disclosure.'' >
Please go ahead. Regards, Adam