You are viewing a plain text version of this content. The canonical link for it is here.

Posted to fop-dev@xmlgraphics.apache.org by "Simon Steiner (Jira)" <ji...@apache.org> on 2022/11/01 09:28:00 UTC

[jira] [Resolved] (FOP-3104) A FOP 2.7.1 hotfix release with only updated batik dependencies to 1.16

     [ https://issues.apache.org/jira/browse/FOP-3104?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Simon Steiner resolved FOP-3104.
--------------------------------
    Resolution: Duplicate

FOP-3097

> A FOP 2.7.1 hotfix release with only updated batik dependencies to 1.16
> -----------------------------------------------------------------------
>
>                 Key: FOP-3104
>                 URL: https://issues.apache.org/jira/browse/FOP-3104
>             Project: FOP
>          Issue Type: Wish
>    Affects Versions: 2.7
>            Reporter: Martin Hoffmann
>            Priority: Major
>
> Analog to FOP-3097 there are new CVE issues reported for Batik:
> {quote}
> batik 1.14 is a dependency of FOP 2.7.  1.14 has CVE issues considered HIGH and MEDIUM.  
> {color:#DE350B}
> CVE-2022-42890 - HIGH
> CVE-2022-41704 - HIGH
> {color}
> These issues are resolved in batik {color:#DE350B}1.16{color}. 
> The existence of these dependency vulnerabilities cause items such as buildbreaker to prevent proper clean builds when referencing FOP 2.7.  The CVE associated with batik 1.14 are considered vulnerability issues by security teams who run audits and enforce build breaker scenarios, preventing deployments of FOP 2.7 due to the vuln existence.
> WORKAROUND
> The current workaround is for developers to enforce a custom batik dependency override to {color:#DE350B}1.16{color}.  A FOP 2.7.1 hotfix release just to address the batik dependency problem would be appreciated by the extended community.  It theoretically should not require any FOP code changes.
> {quote}



--
This message was sent by Atlassian Jira
(v8.20.10#820010)