Security update for CVE-2017-14941, CVE-2017-5528, CVE-2017-5529

[apo_1]

I am looking for more information about three recently published security vulnerabilities namely CVE-2017-14941, CVE-2017-5528, CVE-2017-5529. I would like to know in which version they were fixed and if a patch exists that could be applied to earlier version. So far I haven't found any details about the aforementioned CVE that would allow us to fix the issue. I am grateful for any hints. Thanks in advance

[elizam]

All I can tell you is to look at the Tibco security advisory page: https://www.tibco.com/services/support/advisories

If you have a commercial license with support, contact support.  Otherwise, if you go to the page for a specific vulnerability, you will see a link to a FAQ, and in that FAQ, there is a link to a form that you can fill out. 

[apo_1]

Thanks for your reply. We do not have a commercial license because we ship jasperreports in Debian GNU/Linux based on its free software license.  I have read the advisories but they only recommend to upgrade to the latest version. What I am looking for is a patch or the exact commit that fixed the issue, so that we can backport the fix to earlier versions. Upgrading to the latest version is the least preferred option because it might break reverse-depencies. There is also a chance that older versions are not even affected but without more information about this vulnerability we basically remain in the dark.

For instance Tomcat [1] has a security page that links to the exact commits which addressed security vulnerabilities. We had hoped Jasperreports would provide the same kind of information.

[1] https://tomcat.apache.org/security-7.html#Apache_Tomcat_7.x_vulnerabilities