[prev in list] [next in list] [prev in thread] [next in thread] 

List:       fop-dev
Subject:    [jira] [Resolved] (FOP-3097) A FOP 2.7.1 hotfix release with only updated batik dependencies
From:       "Simon Steiner (Jira)" <jira () apache ! org>
Date:       2022-11-09 8:32:00
Message-ID: JIRA.13485485.1665425134000.84045.1667982720015 () Atlassian ! JIRA
[Download RAW message or body]


     [ https://issues.apache.org/jira/browse/FOP-3097?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel \
]

Simon Steiner resolved FOP-3097.
--------------------------------
    Resolution: Fixed

released 2.8

> A FOP 2.7.1 hotfix release with only updated batik dependencies
> ---------------------------------------------------------------
> 
> Key: FOP-3097
> URL: https://issues.apache.org/jira/browse/FOP-3097
> Project: FOP
> Issue Type: Wish
> Affects Versions: 2.7
> Reporter: Joshua Marquart
> Priority: Major
> 
> batik 1.14 is a dependency of FOP 2.7.  
> 1.14 has CVE issues considered HIGH and MEDIUM.    
> CVE-2022-40146 - HIGH
> CVE-2022-38648 - MEDIUM
> CVE-2022-38398 - MEDIUM
> These issues are resolved in batik 1.15, but 1.15 still contains vulnerabilities.
> CVE-2022-42890 - MEDIUM
> CVE-2022-41704 - MEDIUM
> These issues are resolved in batik 1.16.
> The existence of these dependency vulnerabilities cause items such as buildbreaker \
> to prevent proper clean builds when referencing FOP 2.7.   The CVE associated with \
> batik 1.16 are considered vulnerability issues by security teams who run audits and \
> enforce build breaker scenarios, preventing deployments of FOP 2.7 due to the vuln \
> existence. WORKAROUND
> The current workaround is for developers to enforce a custom batik dependency \
> override to 1.16.   A FOP 2.7.1 hotfix release just to address the batik dependency \
> problem would be appreciated by the extended community.   It theoretically should \
> not require any FOP code changes.



--
This message was sent by Atlassian Jira
(v8.20.10#820010)


[prev in list] [next in list] [prev in thread] [next in thread]

Configure | About | News | Add a list | Sponsored by KoreLogic