search

ESAPI / esapi-java-legacy

ESAPI (The OWASP Enterprise Security API) is a free, open source, web application security control library that makes it easier for programmers to write lower-risk applications.
https://owasp.org/www-project-enterprise-security-api/
Other
610 stars 368 forks source link

Upgrade batik-css-1.14 because of vulnerability #755

Closed pf-BenF closed 1 year ago

pf-BenF commented 1 year ago

Hi folks,

just wanted to let you know, that some vulnerabilites have been discovered in batik-css.1.14:

Any chance to get this dependency upgraded to batik-1.16?

jeremiahjstacey commented 1 year ago

Thank you for the visibility into the concern.

The batik-css dependency is a transitive reference inherited from Antisamy (see command output below).

As part of the standard release process workflow, the direct ESAPI dependencies are updated. Assuming that there is a new Antisamy version before the next ESAPI release, it will be accounted for at that time. We try not to piecemeal update transitive references, unless absolutely necessary.

Presently there is no new releases for antisamy available; however, the maintainers of that project have already addressed this update in the current baseline in this commit.

Releases between ESAPI and Antisamy projects are normally coordinated efforts, so there is a high probability this will be corrected in the next release for both projects.

To my current knowledge, there is not a declared timeline for the next intended release of ESAPI.

esapi-java-legacy]$ mvn dependency:tree

[ content removed ]

[INFO] +- org.owasp.antisamy:antisamy:jar:1.7.0:compile
[INFO] |  +- net.sourceforge.htmlunit:neko-htmlunit:jar:2.63.0:compile
[INFO] |  +- org.apache.httpcomponents.client5:httpclient5:jar:5.1.3:compile
[INFO] |  |  \- org.apache.httpcomponents.core5:httpcore5-h2:jar:5.1.3:compile
[INFO] |  +- org.apache.httpcomponents.core5:httpcore5:jar:5.1.4:compile
[INFO] |  +- org.apache.xmlgraphics:batik-css:jar:1.14:compile
[INFO] |  |  +- org.apache.xmlgraphics:batik-shared-resources:jar:1.14:compile
[INFO] |  |  +- org.apache.xmlgraphics:batik-util:jar:1.14:compile
[INFO] |  |  |  +- org.apache.xmlgraphics:batik-constants:jar:1.14:compile
[INFO] |  |  |  \- org.apache.xmlgraphics:batik-i18n:jar:1.14:compile
[INFO] |  |  \- org.apache.xmlgraphics:xmlgraphics-commons:jar:2.6:compile
[INFO] |  +- xerces:xercesImpl:jar:2.12.2:compile
[INFO] |  \- xml-apis:xml-apis-ext:jar:1.3.04:compile

[ content removed ]
pf-BenF commented 1 year ago

Ah, thanks for the explanation, understood :-)

kwwall commented 1 year ago

FYi - The AntiSamy team is planning a new release soon, to address the Batik CVEs. We will follow that up with an ESAPI release shortly after that.

On Wed, Nov 2, 2022, 6:29 AM pf-BenF @.***> wrote:

Ah, thanks for the explanation, understood :-)

— Reply to this email directly, view it on GitHub https://github.com/ESAPI/esapi-java-legacy/issues/755#issuecomment-1300004314, or unsubscribe https://github.com/notifications/unsubscribe-auth/AAO6PG2VH6AL6UZFZ73W3GTWGI7BTANCNFSM6AAAAAARUZZWBQ . You are receiving this because you are subscribed to this thread.Message ID: @.***>

kwwall commented 1 year ago

@pf-BenF - This will be addressed in the ESAPI 2.5.1.0 release by updating to AntiSamy 1.7.2 which I hope to be releasing in the next day or two.