[jira] [Updated] (FOP-3106) CVE-2022-40146 fix BATIK-1335 in batik dependency not yet included in FOP build
[ https://issues.apache.org/jira/browse/FOP-3106?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] David Campbell updated FOP-3106: Description: There is a security issue [https://nvd.nist.gov/vuln/detail/CVE-2022-40146] in batik which is a dependency of FOP. I understand that https://issues.apache.org/jira/browse/BATIK-1335 is the fix for security issue, but there's no new FOP build that includes the fixed batik version 1.15 as a dependency. was: There is a security issue [https://nvd.nist.gov/vuln/detail/CVE-2022-40146] in batik which is dependency of FOP. I understand that https://issues.apache.org/jira/browse/BATIK-1335 is the fix for security issue, but there's no new FOP build that includes the fixed batik version 1.15 as a dependency. > CVE-2022-40146 fix BATIK-1335 in batik dependency not yet included in FOP > build > --- > > Key: FOP-3106 > URL: https://issues.apache.org/jira/browse/FOP-3106 > Project: FOP > Issue Type: Bug >Affects Versions: 2.7 >Reporter: David Campbell >Priority: Major > > There is a security issue [https://nvd.nist.gov/vuln/detail/CVE-2022-40146] > in batik which is a dependency of FOP. > I understand that https://issues.apache.org/jira/browse/BATIK-1335 is the fix > for security issue, but there's no new FOP build that includes the fixed > batik version 1.15 as a dependency. > -- This message was sent by Atlassian Jira (v8.20.10#820010)
[jira] [Updated] (FOP-3106) CVE-2022-40146 fix BATIK-1335 in batik dependency not yet included in FOP build
[ https://issues.apache.org/jira/browse/FOP-3106?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] David Campbell updated FOP-3106: Description: There is a security issue [https://nvd.nist.gov/vuln/detail/CVE-2022-40146] in batik which is a dependency of FOP. I understand that https://issues.apache.org/jira/browse/BATIK-1335 is the fix for security issue, but there's no new FOP build that includes the fixed batik version 1.15 as a dependency. It appears that the latest FOP is 2.7 and for example [https://repo1.maven.org/maven2/org/apache/xmlgraphics/fop-parent/2.7/fop-parent-2.7.pom] says: 1.14 was: There is a security issue [https://nvd.nist.gov/vuln/detail/CVE-2022-40146] in batik which is a dependency of FOP. I understand that https://issues.apache.org/jira/browse/BATIK-1335 is the fix for security issue, but there's no new FOP build that includes the fixed batik version 1.15 as a dependency. > CVE-2022-40146 fix BATIK-1335 in batik dependency not yet included in FOP > build > --- > > Key: FOP-3106 > URL: https://issues.apache.org/jira/browse/FOP-3106 > Project: FOP > Issue Type: Bug >Affects Versions: 2.7 >Reporter: David Campbell >Priority: Major > > There is a security issue [https://nvd.nist.gov/vuln/detail/CVE-2022-40146] > in batik which is a dependency of FOP. > I understand that https://issues.apache.org/jira/browse/BATIK-1335 is the fix > for security issue, but there's no new FOP build that includes the fixed > batik version 1.15 as a dependency. > It appears that the latest FOP is 2.7 and for example > [https://repo1.maven.org/maven2/org/apache/xmlgraphics/fop-parent/2.7/fop-parent-2.7.pom] > says: > 1.14 > -- This message was sent by Atlassian Jira (v8.20.10#820010)
