[jira] [Comment Edited] (FOP-3096) New version with batik in version 1.15 to resolve CVE-2022-40146

Wed, 05 Oct 2022 09:15:10 -0700 


    [ 
https://issues.apache.org/jira/browse/FOP-3096?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17613055#comment-17613055
 ] 

Joshua Marquart edited comment on FOP-3096 at 10/5/22 4:14 PM:
---------------------------------------------------------------

Simon-

While you, I, and the general development community do not consider the batik 
1.14 issue a  high priority vulnerability, the existence of the now-legacy 
batik in the build cycle causes problems with those who rely on FOP.  The CVE 
associated with batik 1.14 are considered vulnerability issues by security 
teams who run audits and enforce build breaker scenarios, preventing 
deployments of FOP 2.7 due to the vuln existence.  

As it stands at this time, due to batik 1.14 dependence, FOP 2.7 scans as

CVE-2022-40146 - HIGH

CVE-2022-38648 - MEDIUM

CVE-2022-38398 - MEDIUM

The current workaround is for developers to enforce a batik dependency override 
to 1.15, but a fop 2.7.1 hotfix release just to address the batik dependency 
problem would go a long way.


was (Author: joshdm):
Simon-

While you, I, and the general development community do not consider the batik 
1.14 issue a vulnerability, the existence of the now-legacy batik in the build 
cycle causes problems with those who rely on FOP.  The CVE associated with 
batik 1.14 are considered vulnerability issues by security teams who run audits 
and enforce build breaker scenarios, preventing deployments of FOP 2.7 due to 
the vuln existence.  

As it stands at this time, due to batik 1.14 dependence, FOP 2.7 scans as

CVE-2022-40146 - HIGH

CVE-2022-38648 - MEDIUM

CVE-2022-38398 - MEDIUM

The current workaround is for developers to enforce a batik dependency override 
to 1.15, but a fop 2.7.1 hotfix release just to address the batik dependency 
problem would go a long way.

> New version with batik in version 1.15 to resolve CVE-2022-40146
> ----------------------------------------------------------------
>
>                 Key: FOP-3096
>                 URL: https://issues.apache.org/jira/browse/FOP-3096
>             Project: FOP
>          Issue Type: Wish
>    Affects Versions: 2.7
>            Reporter: Alexis Nouvel
>            Priority: Minor
>
> When a new version of fop that reference batik in version 1.15 will be 
> released?



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

Reply via email to