[
https://issues.apache.org/jira/browse/FOP-3097?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Joshua Marquart updated FOP-3097:
---------------------------------
Description:
batik 1.14 is a dependency of FOP 2.7.
1.14 has CVE issues considered HIGH and MEDIUM.
CVE-2022-40146 - HIGH
CVE-2022-38648 - MEDIUM
CVE-2022-38398 - MEDIUM
These issues are resolved in batik 1.15, but 1.15 still contains
vulnerabilities.
CVE-2022-42890 - MEDIUM
CVE-2022-41704 - MEDIUM
These issues are resolved in batik 1.16.
The existence of these dependency vulnerabilities cause items such as
buildbreaker to prevent proper clean builds when referencing FOP 2.7. The CVE
associated with batik 1.16 are considered vulnerability issues by security
teams who run audits and enforce build breaker scenarios, preventing
deployments of FOP 2.7 due to the vuln existence.
WORKAROUND
The current workaround is for developers to enforce a custom batik dependency
override to 1.16. A FOP 2.7.1 hotfix release just to address the batik
dependency problem would be appreciated by the extended community. It
theoretically should not require any FOP code changes.
was:
batik 1.14 is a dependency of FOP 2.7.
1.14 has CVE issues considered HIGH and MEDIUM.
CVE-2022-40146 - HIGH
CVE-2022-38648 - MEDIUM
CVE-2022-38398 - MEDIUM
These issues are resolved in batik 1.15.
CVE-2022-42890 - MEDIUM
CVE-2022-41704 - MEDIUM
These issues are resolved in batik 1.16.
The existence of these dependency vulnerabilities cause items such as
buildbreaker to prevent proper clean builds when referencing FOP 2.7. The CVE
associated with batik 1.16 are considered vulnerability issues by security
teams who run audits and enforce build breaker scenarios, preventing
deployments of FOP 2.7 due to the vuln existence.
WORKAROUND
The current workaround is for developers to enforce a custom batik dependency
override to 1.16. A FOP 2.7.1 hotfix release just to address the batik
dependency problem would be appreciated by the extended community. It
theoretically should not require any FOP code changes.
> A FOP 2.7.1 hotfix release with only updated batik dependencies
> ---------------------------------------------------------------
>
> Key: FOP-3097
> URL: https://issues.apache.org/jira/browse/FOP-3097
> Project: FOP
> Issue Type: Wish
> Affects Versions: 2.7
> Reporter: Joshua Marquart
> Priority: Major
>
> batik 1.14 is a dependency of FOP 2.7.
> 1.14 has CVE issues considered HIGH and MEDIUM.
> CVE-2022-40146 - HIGH
> CVE-2022-38648 - MEDIUM
> CVE-2022-38398 - MEDIUM
> These issues are resolved in batik 1.15, but 1.15 still contains
> vulnerabilities.
> CVE-2022-42890 - MEDIUM
> CVE-2022-41704 - MEDIUM
> These issues are resolved in batik 1.16.
> The existence of these dependency vulnerabilities cause items such as
> buildbreaker to prevent proper clean builds when referencing FOP 2.7. The
> CVE associated with batik 1.16 are considered vulnerability issues by
> security teams who run audits and enforce build breaker scenarios, preventing
> deployments of FOP 2.7 due to the vuln existence.
> WORKAROUND
> The current workaround is for developers to enforce a custom batik dependency
> override to 1.16. A FOP 2.7.1 hotfix release just to address the batik
> dependency problem would be appreciated by the extended community. It
> theoretically should not require any FOP code changes.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
