[prev in list] [next in list] [prev in thread] [next in thread]
List: fop-dev
Subject: [jira] [Resolved] (FOP-3097) A FOP 2.7.1 hotfix release with only updated batik dependencies
From: "Simon Steiner (Jira)" <jira () apache ! org>
Date: 2022-11-09 8:32:00
Message-ID: JIRA.13485485.1665425134000.84045.1667982720015 () Atlassian ! JIRA
[Download RAW message or body]
[ https://issues.apache.org/jira/browse/FOP-3097?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel \
]
Simon Steiner resolved FOP-3097.
--------------------------------
Resolution: Fixed
released 2.8
> A FOP 2.7.1 hotfix release with only updated batik dependencies
> ---------------------------------------------------------------
>
> Key: FOP-3097
> URL: https://issues.apache.org/jira/browse/FOP-3097
> Project: FOP
> Issue Type: Wish
> Affects Versions: 2.7
> Reporter: Joshua Marquart
> Priority: Major
>
> batik 1.14 is a dependency of FOP 2.7.
> 1.14 has CVE issues considered HIGH and MEDIUM.
> CVE-2022-40146 - HIGH
> CVE-2022-38648 - MEDIUM
> CVE-2022-38398 - MEDIUM
> These issues are resolved in batik 1.15, but 1.15 still contains vulnerabilities.
> CVE-2022-42890 - MEDIUM
> CVE-2022-41704 - MEDIUM
> These issues are resolved in batik 1.16.
> The existence of these dependency vulnerabilities cause items such as buildbreaker \
> to prevent proper clean builds when referencing FOP 2.7. The CVE associated with \
> batik 1.16 are considered vulnerability issues by security teams who run audits and \
> enforce build breaker scenarios, preventing deployments of FOP 2.7 due to the vuln \
> existence. WORKAROUND
> The current workaround is for developers to enforce a custom batik dependency \
> override to 1.16. A FOP 2.7.1 hotfix release just to address the batik dependency \
> problem would be appreciated by the extended community. It theoretically should \
> not require any FOP code changes.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic