[ https://issues.apache.org/jira/browse/FOP-3096?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17613055#comment-17613055 ]
Joshua Marquart commented on FOP-3096: -------------------------------------- Simon- While you, I, and the general development community do not consider the batik 1.14 issue a vulnerability, the existence of the now-legacy batik in the build cycle causes problems with those who rely on FOP. The CVE associated with batik 1.14 are considered vulnerability issues by security teams who run audits and enforce build breaker scenarios, preventing deployments of FOP 2.7 due to the vuln existence. As it stands at this time, due to batik 1.14 dependence, FOP 2.7 scans as CVE-2022-40146 - HIGH CVE-2022-38648 - MEDIUM CVE-2022-38398 - MEDIUM The current workaround is for developers to enforce a batik dependency override to 1.15, but a fop 2.7.1 hotfix release just to address the batik dependency problem would go a long way. > New version with batik in version 1.15 to resolve CVE-2022-40146 > ---------------------------------------------------------------- > > Key: FOP-3096 > URL: https://issues.apache.org/jira/browse/FOP-3096 > Project: FOP > Issue Type: Wish > Affects Versions: 2.7 > Reporter: Alexis Nouvel > Priority: Minor > > When a new version of fop that reference batik in version 1.15 will be > released? -- This message was sent by Atlassian Jira (v8.20.10#820010)