[
https://issues.apache.org/jira/browse/FOP-3097?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17627031#comment-17627031
]
Martin Hoffmann commented on FOP-3097:
--------------------------------------
There are new CVE issues fixed in Batik 1.16. I created a new FOP jira issue
for this new CVEs.
FOP-3104
> A FOP 2.7.1 hotfix release with only updated batik dependencies
> ---------------------------------------------------------------
>
> Key: FOP-3097
> URL: https://issues.apache.org/jira/browse/FOP-3097
> Project: FOP
> Issue Type: Wish
> Affects Versions: 2.7
> Reporter: Joshua Marquart
> Priority: Major
>
> batik 1.14 is a dependency of FOP 2.7. 1.14 has CVE issues considered HIGH
> and MEDIUM.
> CVE-2022-40146 - HIGH
> CVE-2022-38648 - MEDIUM
> CVE-2022-38398 - MEDIUM
> These issues are resolved in batik 1.15.
> The existence of these dependency vulnerabilities cause items such as
> buildbreaker to prevent proper clean builds when referencing FOP 2.7. The
> CVE associated with batik 1.14 are considered vulnerability issues by
> security teams who run audits and enforce build breaker scenarios, preventing
> deployments of FOP 2.7 due to the vuln existence.
> WORKAROUND
> The current workaround is for developers to enforce a custom batik dependency
> override to 1.15. A FOP 2.7.1 hotfix release just to address the batik
> dependency problem would be appreciated by the extended community. It
> theoretically should not require any FOP code changes.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
