[
https://issues.apache.org/jira/browse/FOP-3096?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17613055#comment-17613055
]
Joshua Marquart commented on FOP-3096:
--------------------------------------
Simon-
While you, I, and the general development community do not consider the batik
1.14 issue a vulnerability, the existence of the now-legacy batik in the build
cycle causes problems with those who rely on FOP. The CVE associated with
batik 1.14 are considered vulnerability issues by security teams who run audits
and enforce build breaker scenarios, preventing deployments of FOP 2.7 due to
the vuln existence.
As it stands at this time, due to batik 1.14 dependence, FOP 2.7 scans as
CVE-2022-40146 - HIGH
CVE-2022-38648 - MEDIUM
CVE-2022-38398 - MEDIUM
The current workaround is for developers to enforce a batik dependency override
to 1.15, but a fop 2.7.1 hotfix release just to address the batik dependency
problem would go a long way.
> New version with batik in version 1.15 to resolve CVE-2022-40146
> ----------------------------------------------------------------
>
> Key: FOP-3096
> URL: https://issues.apache.org/jira/browse/FOP-3096
> Project: FOP
> Issue Type: Wish
> Affects Versions: 2.7
> Reporter: Alexis Nouvel
> Priority: Minor
>
> When a new version of fop that reference batik in version 1.15 will be
> released?
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
