[
https://issues.apache.org/jira/browse/FOP-3097?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17631187#comment-17631187
]
Joshua Marquart commented on FOP-3097:
--------------------------------------
Good to know. Thank you for all the effort!
> A FOP 2.7.1 hotfix release with only updated batik dependencies
> ---------------------------------------------------------------
>
> Key: FOP-3097
> URL: https://issues.apache.org/jira/browse/FOP-3097
> Project: FOP
> Issue Type: Wish
> Affects Versions: 2.7
> Reporter: Joshua Marquart
> Priority: Major
>
> batik 1.14 is a dependency of FOP 2.7.
> 1.14 has CVE issues considered HIGH and MEDIUM.
> CVE-2022-40146 - HIGH
> CVE-2022-38648 - MEDIUM
> CVE-2022-38398 - MEDIUM
> These issues are resolved in batik 1.15, but 1.15 still contains
> vulnerabilities.
> CVE-2022-42890 - MEDIUM
> CVE-2022-41704 - MEDIUM
> These issues are resolved in batik 1.16.
> The existence of these dependency vulnerabilities cause items such as
> buildbreaker to prevent proper clean builds when referencing FOP 2.7. The
> CVE associated with batik 1.16 are considered vulnerability issues by
> security teams who run audits and enforce build breaker scenarios, preventing
> deployments of FOP 2.7 due to the vuln existence.
> WORKAROUND
> The current workaround is for developers to enforce a custom batik dependency
> override to 1.16. A FOP 2.7.1 hotfix release just to address the batik
> dependency problem would be appreciated by the extended community. It
> theoretically should not require any FOP code changes.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
