[ https://issues.apache.org/jira/browse/OFBIZ-7136?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15304059#comment-15304059 ]
Jacques Le Roux commented on OFBIZ-7136: ---------------------------------------- Done in trunk at r1745751 R15.12 r1745752 I did not try to update to version 2.0.1. I only tested by using https://localhost:8443/example/control/ExampleReportPdfOptions?exampleId=EX01 but I got nothing. So I tried with R15.12 before backporting and got the same issue. So I guess it's unrelated with this update. Moreover with both branches I get an error in log for the barcode PDF: I opened OFBIZ-7137 I don't close yet, I'll look at other releases later, it's no obvious if upgrading from 1.7.1 to 1.8.12 can be done w/o side effects. > Ugrade PDFBox to 1.8.12 (or 2.0.1?) due to vulnerability > -------------------------------------------------------- > > Key: OFBIZ-7136 > URL: https://issues.apache.org/jira/browse/OFBIZ-7136 > Project: OFBiz > Issue Type: Sub-task > Components: framework > Affects Versions: Trunk > Reporter: Jacques Le Roux > Assignee: Jacques Le Roux > > CVE-2016-2175: Apache PDFBox XML External Entity vulnerability > Severity: Important > Versions Affected: > Apache PDFBox 1.8.0 to 1.8.11 > Apache PDFBox 2.0.0 > Earlier, unsupported Apache PDFBox versions may be affected as well > Description: > Apache PDFBox parses different XML data within PDF files such as XMP and the > initialization of the XML parsers did not protect against XML External Entity > (XXE) vulnerabilities. According to www.owasp.org [1]: "This attack may lead > to the disclosure of confidential data, denial of service, server side > request forgery, port scanning from the perspective of the machine where the > parser is located, and other system impacts." > Mitigation: > Upgrade to Apache PDFBox 1.8.12 respectively 2.0.1 > Credit: > This issue was discovered by Arthur Khashaev (https://khashaev.ru), Seulgi > Kim, Mesut Timur and Microsoft Vulnerability Research. > [1] https://www.owasp.org/index.php/XML_External_Entity_(XXE)_Processing -- This message was sent by Atlassian JIRA (v6.3.4#6332)