[jira] [Resolved] (FOP-3106) CVE-2022-40146 fix BATIK-1335 in batik dependency not yet included in FOP build
[ https://issues.apache.org/jira/browse/FOP-3106?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Simon Steiner resolved FOP-3106. Resolution: Duplicate FOP-3097 > CVE-2022-40146 fix BATIK-1335 in batik dependency not yet included in FOP > build > --- > > Key: FOP-3106 > URL: https://issues.apache.org/jira/browse/FOP-3106 > Project: FOP > Issue Type: Bug >Affects Versions: 2.7 >Reporter: David Campbell >Priority: Major > > There is a security issue [https://nvd.nist.gov/vuln/detail/CVE-2022-40146] > in batik which is a dependency of FOP. > I understand that https://issues.apache.org/jira/browse/BATIK-1335 is the fix > for security issue, but there's no new FOP build that includes the fixed > batik version 1.15 as a dependency. > It appears that the latest FOP is 2.7 and for example > [https://repo1.maven.org/maven2/org/apache/xmlgraphics/fop-parent/2.7/fop-parent-2.7.pom] > says: > 1.14 > -- This message was sent by Atlassian Jira (v8.20.10#820010)
[jira] [Updated] (FOP-3106) CVE-2022-40146 fix BATIK-1335 in batik dependency not yet included in FOP build
[ https://issues.apache.org/jira/browse/FOP-3106?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] David Campbell updated FOP-3106: Description: There is a security issue [https://nvd.nist.gov/vuln/detail/CVE-2022-40146] in batik which is a dependency of FOP. I understand that https://issues.apache.org/jira/browse/BATIK-1335 is the fix for security issue, but there's no new FOP build that includes the fixed batik version 1.15 as a dependency. was: There is a security issue [https://nvd.nist.gov/vuln/detail/CVE-2022-40146] in batik which is dependency of FOP. I understand that https://issues.apache.org/jira/browse/BATIK-1335 is the fix for security issue, but there's no new FOP build that includes the fixed batik version 1.15 as a dependency. > CVE-2022-40146 fix BATIK-1335 in batik dependency not yet included in FOP > build > --- > > Key: FOP-3106 > URL: https://issues.apache.org/jira/browse/FOP-3106 > Project: FOP > Issue Type: Bug >Affects Versions: 2.7 >Reporter: David Campbell >Priority: Major > > There is a security issue [https://nvd.nist.gov/vuln/detail/CVE-2022-40146] > in batik which is a dependency of FOP. > I understand that https://issues.apache.org/jira/browse/BATIK-1335 is the fix > for security issue, but there's no new FOP build that includes the fixed > batik version 1.15 as a dependency. > -- This message was sent by Atlassian Jira (v8.20.10#820010)
[jira] [Updated] (FOP-3106) CVE-2022-40146 fix BATIK-1335 in batik dependency not yet included in FOP build
[ https://issues.apache.org/jira/browse/FOP-3106?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] David Campbell updated FOP-3106: Description: There is a security issue [https://nvd.nist.gov/vuln/detail/CVE-2022-40146] in batik which is a dependency of FOP. I understand that https://issues.apache.org/jira/browse/BATIK-1335 is the fix for security issue, but there's no new FOP build that includes the fixed batik version 1.15 as a dependency. It appears that the latest FOP is 2.7 and for example [https://repo1.maven.org/maven2/org/apache/xmlgraphics/fop-parent/2.7/fop-parent-2.7.pom] says: 1.14 was: There is a security issue [https://nvd.nist.gov/vuln/detail/CVE-2022-40146] in batik which is a dependency of FOP. I understand that https://issues.apache.org/jira/browse/BATIK-1335 is the fix for security issue, but there's no new FOP build that includes the fixed batik version 1.15 as a dependency. > CVE-2022-40146 fix BATIK-1335 in batik dependency not yet included in FOP > build > --- > > Key: FOP-3106 > URL: https://issues.apache.org/jira/browse/FOP-3106 > Project: FOP > Issue Type: Bug >Affects Versions: 2.7 >Reporter: David Campbell >Priority: Major > > There is a security issue [https://nvd.nist.gov/vuln/detail/CVE-2022-40146] > in batik which is a dependency of FOP. > I understand that https://issues.apache.org/jira/browse/BATIK-1335 is the fix > for security issue, but there's no new FOP build that includes the fixed > batik version 1.15 as a dependency. > It appears that the latest FOP is 2.7 and for example > [https://repo1.maven.org/maven2/org/apache/xmlgraphics/fop-parent/2.7/fop-parent-2.7.pom] > says: > 1.14 > -- This message was sent by Atlassian Jira (v8.20.10#820010)
[jira] [Created] (FOP-3106) CVE-2022-40146 fix BATIK-1335 in batik dependency not yet included in FOP build
David Campbell created FOP-3106: --- Summary: CVE-2022-40146 fix BATIK-1335 in batik dependency not yet included in FOP build Key: FOP-3106 URL: https://issues.apache.org/jira/browse/FOP-3106 Project: FOP Issue Type: Bug Affects Versions: 2.7 Reporter: David Campbell There is a security issue [https://nvd.nist.gov/vuln/detail/CVE-2022-40146] in batik which is dependency of FOP. I understand that https://issues.apache.org/jira/browse/BATIK-1335 is the fix for security issue, but there's no new FOP build that includes the fixed batik version 1.15 as a dependency. -- This message was sent by Atlassian Jira (v8.20.10#820010)
RE: FOP build
I don't know why my ant builds always seems to fail junit tests, but it appears most if not all of those tests are for the custom fonts it includes for whatever reason. I print everything in one font (Lucida Typewriter) so it's readable and fixed width, so I'll just create my own version and hack out everything to do with specific fonts including the junit tests. -Original Message- From: Pascal Sancho [mailto:pascal.san...@takoma.fr] Sent: Thursday, December 09, 2010 8:28 AM To: fop-dev@xmlgraphics.apache.org Subject: Re: FOP build Hi, Junit tests are for pre-commit purpose. You can easily avoid them by running the right ant option: ant package. see [1] for further info on running ant with fop. [1] http://xmlgraphics.apache.org/fop/1.0/compiling.html#env-ant Le 09/12/2010 14:08, Eric Douglas a écrit : Is there a way to simplify FOP? I have the 1.0 source. I can run the ant build and it creates a new jar. Now I tried excluding a font class I don't need, and it failed the build on a junit test. I tried commenting that test out and it failed a different test. I excluded a few tests and it succeeded but it didn't create the jar. It should still be executing that step which creates the jar. I'm passing in custom fonts so I'd like to be able to save some overhead by removing all of those base 14 fonts. -- pascal
FOP build
Is there a way to simplify FOP? I have the 1.0 source. I can run the ant build and it creates a new jar. Now I tried excluding a font class I don't need, and it failed the build on a junit test. I tried commenting that test out and it failed a different test. I excluded a few tests and it succeeded but it didn't create the jar. It should still be executing that step which creates the jar. I'm passing in custom fonts so I'd like to be able to save some overhead by removing all of those base 14 fonts.
Re: FOP build
Hi, Junit tests are for pre-commit purpose. You can easily avoid them by running the right ant option: ant package. see [1] for further info on running ant with fop. [1] http://xmlgraphics.apache.org/fop/1.0/compiling.html#env-ant Le 09/12/2010 14:08, Eric Douglas a écrit : Is there a way to simplify FOP? I have the 1.0 source. I can run the ant build and it creates a new jar. Now I tried excluding a font class I don't need, and it failed the build on a junit test. I tried commenting that test out and it failed a different test. I excluded a few tests and it succeeded but it didn't create the jar. It should still be executing that step which creates the jar. I'm passing in custom fonts so I'd like to be able to save some overhead by removing all of those base 14 fonts. -- pascal
RE: FOP build
I tried commenting out the base 14 collection statement here and it created
fop.jar but I've set it up differently than on my hone PC.
Here my ant build starts out telling me this.
[echo] --- Apache FOP 1.0 [1999-2010]
[echo] See build.properties and build-local.properties for additional
build settings
[echo] Apache Ant version 1.7.1 compiled on June 27 2008
[echo] VM: 14.3-b01, Sun Microsystems Inc.
[echo] JAVA_HOME: ${env.JAVA_HOME}
[echo] JAI Support PRESENT
[echo] JCE Support PRESENT
[echo] JUnit Support NOT Present - Committers are required to have JUnit
working
[echo] XMLUnit Support NOT Present - you can get it from
http://xmlunit.sourceforge.net
On my home PC I believe it's saying JAI Support is not present, I'm not sure
what that's looking for, but it says JUnit and XMLUnit support are present. I
can test again to let you know exactly what it complains about when JUnit is
working but the fop.jar stops getting updated if you have the JUnit and just
comment out this one line.
package org.apache.fop.render;
...
public abstract class PrintRenderer extends AbstractRenderer
...
public void setupFontInfo(FontInfo inFontInfo) throws FOPException {
this.fontInfo = inFontInfo;
FontManager fontManager = userAgent.getFactory().getFontManager();
FontCollection[] fontCollections = new FontCollection[] {
//new
Base14FontCollection(fontManager.isBase14KerningEnabled()),
new CustomFontCollection(getFontResolver(), getFontList())
};
fontManager.setup(getFontInfo(), fontCollections);
}
For my purpose I shouldn't need any code referencing the base 14 fonts. I'm
passing in custom fonts. I assume CustomFontCollection here will handle that.
-Original Message-
From: Pascal Sancho [mailto:pascal.san...@takoma.fr]
Sent: Thursday, December 09, 2010 8:28 AM
To: fop-dev@xmlgraphics.apache.org
Subject: Re: FOP build
Hi,
Junit tests are for pre-commit purpose.
You can easily avoid them by running the right ant option:
ant package.
see [1] for further info on running ant with fop.
[1] http://xmlgraphics.apache.org/fop/1.0/compiling.html#env-ant
Le 09/12/2010 14:08, Eric Douglas a écrit :
Is there a way to simplify FOP? I have the 1.0 source. I can run the
ant build and it creates a new jar. Now I tried excluding a font
class I don't need, and it failed the build on a junit test. I tried
commenting that test out and it failed a different test. I excluded a
few tests and it succeeded but it didn't create the jar. It should
still be executing that step which creates the jar. I'm passing in
custom fonts so I'd like to be able to save some overhead by removing
all of those base 14 fonts.
--
pascal
