[ https://issues.apache.org/jira/browse/FOP-3106?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Simon Steiner resolved FOP-3106. -------------------------------- Resolution: Duplicate FOP-3097 > CVE-2022-40146 fix BATIK-1335 in batik dependency not yet included in FOP > build > ------------------------------------------------------------------------------- > > Key: FOP-3106 > URL: https://issues.apache.org/jira/browse/FOP-3106 > Project: FOP > Issue Type: Bug > Affects Versions: 2.7 > Reporter: David Campbell > Priority: Major > > There is a security issue [https://nvd.nist.gov/vuln/detail/CVE-2022-40146] > in batik which is a dependency of FOP. > I understand that https://issues.apache.org/jira/browse/BATIK-1335 is the fix > for security issue, but there's no new FOP build that includes the fixed > batik version 1.15 as a dependency. > It appears that the latest FOP is 2.7 and for example > [https://repo1.maven.org/maven2/org/apache/xmlgraphics/fop-parent/2.7/fop-parent-2.7.pom] > says: > <batik.version>1.14</batik.version> > -- This message was sent by Atlassian Jira (v8.20.10#820010)