openSUSE Local Security Checks : openSUSE Security Advisory (SUSE-SU-2024:4054-1)

Vulnerability Search		Search 324607 CVE descriptions and 145615 test descriptions, access 10,000+ cross references.
	Tests CVE All

Test ID: 1.3.6.1.4.1.25623.1.0.856737

Category: openSUSE Local Security Checks

Title: openSUSE Security Advisory (SUSE-SU-2024:4054-1)

Summary: The remote host is missing an update for the 'javapackages-tools, xmlgraphics-batik, xmlgraphics-commons, xmlgraphics-fop' package(s) announced via the SUSE-SU-2024:4054-1 advisory.

Description: Summary:
The remote host is missing an update for the 'javapackages-tools, xmlgraphics-batik, xmlgraphics-commons, xmlgraphics-fop' package(s) announced via the SUSE-SU-2024:4054-1 advisory.

Vulnerability Insight:
This update for javapackages-tools, xmlgraphics-batik, xmlgraphics-commons, xmlgraphics-fop fixes the following issues:

xmlgraphics-fop was updated from version 2.8 to 2.10:

- Security issues fixed:

* CVE-2024-28168: Fixed improper restriction of XML External Entity (XXE) reference (bsc#1231428)

- Upstream changes and bugs fixed:

* Version 2.10:

+ footnote-body ignores rl-tb writing mode
+ SVG tspan content is displayed out of place
+ Added new schema to handle pdf/a and pdfa/ua
+ Correct fop version at runtime
+ NoSuchElementException when using font with no family name
+ Resolve classpath for binary distribution
+ Switch to spotbugs
+ Set an automatic module name
+ Rename packages to avoid conflicts with modules
+ Resize table only for multicolumn page
+ Missing jars in servlet
+ Optimise performance of PNG with alpha using raw loader
+ basic-link not navigating to corresponding footnote
+ Added option to sign PDF
+ Added secure processing for XSL input
+ Allow sections which need security permissions to be run when AllPermission denied in caller code
+ Remove unused PDFStructElem
+ Remove space generated by fo:wrapper
+ Reset content length for table changing ipd
+ Added alt text to PDF signature
+ Allow change of resource level for SVG in AFP
+ Exclude shape not in clipping path for AFP
+ Only support 1 column for redo of layout without page pos only
+ Switch to Jakarta servlet API
+ NPE when list item is split alongside an ipd change
+ Added mandatory MODCA triplet to AFP
+ Redo layout for multipage columns
+ Added image mask option for AFP
+ Skip written block ipds inside float
+ Allow curly braces for src url
+ Missing content for last page with change ipd
+ Added warning when different pdf languages are used
+ Only restart line manager when there is a linebreak for blocklayout

* Version 2.9:

+ Values in PDF Number Trees must be indirect references
+ Do not delete files on syntax errors using command line
+ Surrogate pair edge-case causes Exception
+ Reset character spacing
+ SVG text containing certain glyphs isn't rendered
+ Remove duplicate classes from maven classpath
+ Allow use of page position only on redo of layout
+ Failure to render multi-block itemBody alongside float
+ Update to PDFBox 2.0.27
+ NPE if link destination is missing with accessibility
+ Make property cache thread safe
+ Font size was rounded to 0 for AFP TTF
+ Cannot process a SVG using mvn jars
+ Remove serializer jar
+ Allow creating a PDF 2.0 document
+ Text missing after page break inside table inline
+ IllegalArgumentException for list in a table
+ Table width may be too wide when layout width changes
+ NPE when using broken link and PDF 1.5
+ Allow XMP at PDF page level
+ Symbol font was not being mapped to unicode
+ Correct font differences table for Chrome
+ Link against Java 8 API
+ Added support for ... [Please see the references for more information on the vulnerabilities]

Affected Software/OS:
'javapackages-tools, xmlgraphics-batik, xmlgraphics-commons, xmlgraphics-fop' package(s) on openSUSE Leap 15.5, openSUSE Leap 15.6.

Solution:
Please install the updated package(s).

CVSS Score:
5.0

CVSS Vector:
AV:N/AC:L/Au:N/C:P/I:N/A:N

Cross-Ref: Common Vulnerability Exposure (CVE) ID: CVE-2024-28168

Copyright Copyright (C) 2024 Greenbone AG

This is only one of 145615 vulnerability tests in our test suite. Find out more about running a complete security audit.
To run a free test of this vulnerability against your system, register below.

Test ID:	1.3.6.1.4.1.25623.1.0.856737
Category:	openSUSE Local Security Checks
Title:	openSUSE Security Advisory (SUSE-SU-2024:4054-1)
Summary:	The remote host is missing an update for the 'javapackages-tools, xmlgraphics-batik, xmlgraphics-commons, xmlgraphics-fop' package(s) announced via the SUSE-SU-2024:4054-1 advisory.
Description:	Summary: The remote host is missing an update for the 'javapackages-tools, xmlgraphics-batik, xmlgraphics-commons, xmlgraphics-fop' package(s) announced via the SUSE-SU-2024:4054-1 advisory. Vulnerability Insight: This update for javapackages-tools, xmlgraphics-batik, xmlgraphics-commons, xmlgraphics-fop fixes the following issues: xmlgraphics-fop was updated from version 2.8 to 2.10: - Security issues fixed: * CVE-2024-28168: Fixed improper restriction of XML External Entity (XXE) reference (bsc#1231428) - Upstream changes and bugs fixed: * Version 2.10: + footnote-body ignores rl-tb writing mode + SVG tspan content is displayed out of place + Added new schema to handle pdf/a and pdfa/ua + Correct fop version at runtime + NoSuchElementException when using font with no family name + Resolve classpath for binary distribution + Switch to spotbugs + Set an automatic module name + Rename packages to avoid conflicts with modules + Resize table only for multicolumn page + Missing jars in servlet + Optimise performance of PNG with alpha using raw loader + basic-link not navigating to corresponding footnote + Added option to sign PDF + Added secure processing for XSL input + Allow sections which need security permissions to be run when AllPermission denied in caller code + Remove unused PDFStructElem + Remove space generated by fo:wrapper + Reset content length for table changing ipd + Added alt text to PDF signature + Allow change of resource level for SVG in AFP + Exclude shape not in clipping path for AFP + Only support 1 column for redo of layout without page pos only + Switch to Jakarta servlet API + NPE when list item is split alongside an ipd change + Added mandatory MODCA triplet to AFP + Redo layout for multipage columns + Added image mask option for AFP + Skip written block ipds inside float + Allow curly braces for src url + Missing content for last page with change ipd + Added warning when different pdf languages are used + Only restart line manager when there is a linebreak for blocklayout * Version 2.9: + Values in PDF Number Trees must be indirect references + Do not delete files on syntax errors using command line + Surrogate pair edge-case causes Exception + Reset character spacing + SVG text containing certain glyphs isn't rendered + Remove duplicate classes from maven classpath + Allow use of page position only on redo of layout + Failure to render multi-block itemBody alongside float + Update to PDFBox 2.0.27 + NPE if link destination is missing with accessibility + Make property cache thread safe + Font size was rounded to 0 for AFP TTF + Cannot process a SVG using mvn jars + Remove serializer jar + Allow creating a PDF 2.0 document + Text missing after page break inside table inline + IllegalArgumentException for list in a table + Table width may be too wide when layout width changes + NPE when using broken link and PDF 1.5 + Allow XMP at PDF page level + Symbol font was not being mapped to unicode + Correct font differences table for Chrome + Link against Java 8 API + Added support for ... [Please see the references for more information on the vulnerabilities] Affected Software/OS: 'javapackages-tools, xmlgraphics-batik, xmlgraphics-commons, xmlgraphics-fop' package(s) on openSUSE Leap 15.5, openSUSE Leap 15.6. Solution: Please install the updated package(s). CVSS Score: 5.0 CVSS Vector: AV:N/AC:L/Au:N/C:P/I:N/A:N
Cross-Ref:	Common Vulnerability Exposure (CVE) ID: CVE-2024-28168
Copyright	Copyright (C) 2024 Greenbone AG