Closed pf-BenF closed 1 year ago
Thank you for the visibility into the concern.
The batik-css dependency is a transitive reference inherited from Antisamy (see command output below).
As part of the standard release process workflow, the direct ESAPI dependencies are updated. Assuming that there is a new Antisamy version before the next ESAPI release, it will be accounted for at that time. We try not to piecemeal update transitive references, unless absolutely necessary.
Presently there is no new releases for antisamy available; however, the maintainers of that project have already addressed this update in the current baseline in this commit.
Releases between ESAPI and Antisamy projects are normally coordinated efforts, so there is a high probability this will be corrected in the next release for both projects.
To my current knowledge, there is not a declared timeline for the next intended release of ESAPI.
esapi-java-legacy]$ mvn dependency:tree
[ content removed ]
[INFO] +- org.owasp.antisamy:antisamy:jar:1.7.0:compile
[INFO] | +- net.sourceforge.htmlunit:neko-htmlunit:jar:2.63.0:compile
[INFO] | +- org.apache.httpcomponents.client5:httpclient5:jar:5.1.3:compile
[INFO] | | \- org.apache.httpcomponents.core5:httpcore5-h2:jar:5.1.3:compile
[INFO] | +- org.apache.httpcomponents.core5:httpcore5:jar:5.1.4:compile
[INFO] | +- org.apache.xmlgraphics:batik-css:jar:1.14:compile
[INFO] | | +- org.apache.xmlgraphics:batik-shared-resources:jar:1.14:compile
[INFO] | | +- org.apache.xmlgraphics:batik-util:jar:1.14:compile
[INFO] | | | +- org.apache.xmlgraphics:batik-constants:jar:1.14:compile
[INFO] | | | \- org.apache.xmlgraphics:batik-i18n:jar:1.14:compile
[INFO] | | \- org.apache.xmlgraphics:xmlgraphics-commons:jar:2.6:compile
[INFO] | +- xerces:xercesImpl:jar:2.12.2:compile
[INFO] | \- xml-apis:xml-apis-ext:jar:1.3.04:compile
[ content removed ]
Ah, thanks for the explanation, understood :-)
FYi - The AntiSamy team is planning a new release soon, to address the Batik CVEs. We will follow that up with an ESAPI release shortly after that.
On Wed, Nov 2, 2022, 6:29 AM pf-BenF @.***> wrote:
Ah, thanks for the explanation, understood :-)
— Reply to this email directly, view it on GitHub https://github.com/ESAPI/esapi-java-legacy/issues/755#issuecomment-1300004314, or unsubscribe https://github.com/notifications/unsubscribe-auth/AAO6PG2VH6AL6UZFZ73W3GTWGI7BTANCNFSM6AAAAAARUZZWBQ . You are receiving this because you are subscribed to this thread.Message ID: @.***>
@pf-BenF - This will be addressed in the ESAPI 2.5.1.0 release by updating to AntiSamy 1.7.2 which I hope to be releasing in the next day or two.
Hi folks,
just wanted to let you know, that some vulnerabilites have been discovered in batik-css.1.14:
Any chance to get this dependency upgraded to batik-1.16?