Bug List: (This bug is not in your last search results)   Show last search results      Search page      Enter new bug
Bug#: 206651
Alias:
Product:
Component:
Status: RESOLVED
Resolution: FIXED
Assigned To: Gentoo Security <security@gentoo.org>
Hardware:
OS:
Version:
Priority:
Severity:
Reporter: Petteri Räty <betelgeuse@gentoo.org>
Add CC:
CC:
Remove selected CCs
URL:
Summary:
Status Whiteboard:
Keywords:
Flags: Requestee:
 
 
  ()

Filename Description Type Creator Created Size Actions
Create a New Attachment (proposed patch, testcase, etc.) View All

Bug 206651 depends on: Show dependency tree
Bug 206651 blocks:

Additional Comments: (this is where you put emerge --info)


Not eligible to see or edit group visibility for this bug.






View Bug Activity   |   Format For Printing   |   XML   |   Clone This Bug

Description:   Opened: 2008-01-19 16:17 0000 
From http://xmlgraphics.apache.org/batik/

Security warning

This is a warning that a script security issue was reported in the Batik
Squiggle browser. Squiggle uses the Rhino scripting engine and some features of
that engine can be leveraged by malicious scripts to gain access to otherwise
protected resources (like the file system). This issue was fixed in the 1.5.1
release of Batik. If you are using a version of Batik older than 1.5.1, you
should upgrade.

------- Comment #1 From Robert Buchholz 2008-01-19 22:59:08 0000 ------- 
So our latest stable 1.6-r3 is not vulnerable to this, but since it and the 1.5
branch are slotted, people might still use the old version.

Do packages depend on this specific slot, or can we just drop it from the tree?

------- Comment #2 From Petteri Räty 2008-01-19 23:20:50 0000 ------- 
(In reply to comment #1)
> 
> Do packages depend on this specific slot, or can we just drop it from the tree?
> 

Probably not doable at this point in time but I will version bump 1.5 when get
to it.

------- Comment #3 From Vlastimil Babka (Caster) 2008-01-20 22:32:48 0000 ------- 
Turned out that nothing depended on 1.5 anymore, so I removed it. We even had
1.5.1 in the tree but own slot, was removed earlier.
So to GLSA or not to GLSA? :) We were installing launcher for the svg
browser...

------- Comment #4 From Sune Kloppenborg Jeppesen 2008-01-21 07:59:43 0000 ------- 
I tend to vote YES.

------- Comment #5 From Robert Buchholz 2008-02-11 21:28:41 0000 ------- 
1.5.1 hit the tree about 2004, stable 2005. I vote NO for reasons of
obsoletion.

------- Comment #6 From Pierre-Yves Rofes 2008-02-12 08:22:58 0000 ------- 
(In reply to comment #5)
> 1.5.1 hit the tree about 2004, stable 2005. I vote NO for reasons of
> obsoletion.
> 

same here, and closing.
Bug List: (This bug is not in your last search results)   Show last search results      Search page      Enter new bug