You are viewing a plain text version of this content. The canonical link for it is here.
Posted to user@poi.apache.org by PJ Fanning <fa...@yahoo.com.INVALID> on 2022/09/22 15:49:54 UTC
Batik 1.15 fixes some security issues
Hi everyone,
Apache Batik [1] is used by Apache POI to work with SVG pictures that can be embedded in Microsoft documents. It is an optional dependency of poi-ooxml and it appears that we only support it in the XSLF packages for pptx files.
Batik 1.15 has just been released and contains a number of security fixes. [2] [3] [4]
We recommend that all users who use the Batik support in poi-ooxml upgrade to Batik 1.15. We do not expect that anyone upgrading from batik 1.14 to 1.15 will see any issues.
There is no plan to do a special POI release because this an optional dependency.
[1] https://xmlgraphics.apache.org/batik/
[2] https://lists.apache.org/thread/s1jobjxpljx4oygfqjqqfrohnfyyhlbq
[3] https://lists.apache.org/thread/lnh1tnc8gh9r4vh69x3nljcx55v43tcj
[4] https://lists.apache.org/thread/zx2jjvdow82p058sovr5qnxprsq87rg7
---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscribe@poi.apache.org
For additional commands, e-mail: user-help@poi.apache.org
Batik 1.16 fixes a security issue
Posted by PJ Fanning <fa...@yahoo.com.INVALID>.
Hi everyone,
Apache Batik 1.16 has been released and contains a security fix [1].
As with the Batik 1.15 release, there is no plan for a poi-ooxml release just to upgrade the dependency. Batik is an optional dependency.
POI users can simply update their own builds to use the newer Batik jars. This should be a smooth upgrade.
Regards,
PJ
[1] https://lists.apache.org/thread/xsghwkk5dgrcyg5hyncsqjwvllr31gps
On Thursday 22 September 2022 at 16:50:14 IST, PJ Fanning <fa...@yahoo.com.invalid> wrote:
Hi everyone,
Apache Batik [1] is used by Apache POI to work with SVG pictures that can be embedded in Microsoft documents. It is an optional dependency of poi-ooxml and it appears that we only support it in the XSLF packages for pptx files.
Batik 1.15 has just been released and contains a number of security fixes. [2] [3] [4]
We recommend that all users who use the Batik support in poi-ooxml upgrade to Batik 1.15. We do not expect that anyone upgrading from batik 1.14 to 1.15 will see any issues.
There is no plan to do a special POI release because this an optional dependency.
[1] https://xmlgraphics.apache.org/batik/
[2] https://lists.apache.org/thread/s1jobjxpljx4oygfqjqqfrohnfyyhlbq
[3] https://lists.apache.org/thread/lnh1tnc8gh9r4vh69x3nljcx55v43tcj
[4] https://lists.apache.org/thread/zx2jjvdow82p058sovr5qnxprsq87rg7
---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscribe@poi.apache.org
For additional commands, e-mail: user-help@poi.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscribe@poi.apache.org
For additional commands, e-mail: user-help@poi.apache.org
Re: Batik 1.15 fixes some security issues
Posted by Andreas Reichel <an...@manticore-projects.com>.
Question please: as far as I can see it, Batik still pulls
JAXEN/XercesImpl -- has this been taken care of?
On Thu, 2022-09-22 at 23:15 +0700, Andreas Reichel wrote:
> Thanks for the heads up!
> I wished Apache FOP (or central apache) would be so alert.
>
> Much appreciated!
> Cheers
> Andreas
>
>
>
> On Thu, 2022-09-22 at 15:49 +0000, PJ Fanning wrote:
> > Hi everyone,
> >
> > Apache Batik [1] is used by Apache POI to work with SVG pictures
> > that
> > can be embedded in Microsoft documents. It is an optional
> > dependency
> > of poi-ooxml and it appears that we only support it in the XSLF
> > packages for pptx files.
> >
> > Batik 1.15 has just been released and contains a number of security
> > fixes. [2] [3] [4]
> >
> > We recommend that all users who use the Batik support in poi-ooxml
> > upgrade to Batik 1.15. We do not expect that anyone upgrading from
> > batik 1.14 to 1.15 will see any issues.
> > There is no plan to do a special POI release because this an
> > optional
> > dependency.
> >
> > [1] https://xmlgraphics.apache.org/batik/
> > [2]
> > https://lists.apache.org/thread/s1jobjxpljx4oygfqjqqfrohnfyyhlbq
> > [3]
> > https://lists.apache.org/thread/lnh1tnc8gh9r4vh69x3nljcx55v43tcj
> > [4]
> > https://lists.apache.org/thread/zx2jjvdow82p058sovr5qnxprsq87rg7
> >
> > -------------------------------------------------------------------
> > --
> > To unsubscribe, e-mail: user-unsubscribe@poi.apache.org
> > For additional commands, e-mail: user-help@poi.apache.org
> >
>
Re: Batik 1.15 fixes some security issues
Posted by Andreas Reichel <an...@manticore-projects.com>.
Thanks for the heads up!
I wished Apache FOP (or central apache) would be so alert.
Much appreciated!
Cheers
Andreas
On Thu, 2022-09-22 at 15:49 +0000, PJ Fanning wrote:
> Hi everyone,
>
> Apache Batik [1] is used by Apache POI to work with SVG pictures that
> can be embedded in Microsoft documents. It is an optional dependency
> of poi-ooxml and it appears that we only support it in the XSLF
> packages for pptx files.
>
> Batik 1.15 has just been released and contains a number of security
> fixes. [2] [3] [4]
>
> We recommend that all users who use the Batik support in poi-ooxml
> upgrade to Batik 1.15. We do not expect that anyone upgrading from
> batik 1.14 to 1.15 will see any issues.
> There is no plan to do a special POI release because this an optional
> dependency.
>
> [1] https://xmlgraphics.apache.org/batik/
> [2] https://lists.apache.org/thread/s1jobjxpljx4oygfqjqqfrohnfyyhlbq
> [3] https://lists.apache.org/thread/lnh1tnc8gh9r4vh69x3nljcx55v43tcj
> [4] https://lists.apache.org/thread/zx2jjvdow82p058sovr5qnxprsq87rg7
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: user-unsubscribe@poi.apache.org
> For additional commands, e-mail: user-help@poi.apache.org
>