[
https://issues.apache.org/jira/browse/FOP-3104?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Simon Steiner resolved FOP-3104.
--------------------------------
Resolution: Duplicate
FOP-3097
> A FOP 2.7.1 hotfix release with only updated batik dependencies to 1.16
> -----------------------------------------------------------------------
>
> Key: FOP-3104
> URL: https://issues.apache.org/jira/browse/FOP-3104
> Project: FOP
> Issue Type: Wish
> Affects Versions: 2.7
> Reporter: Martin Hoffmann
> Priority: Major
>
> Analog to FOP-3097 there are new CVE issues reported for Batik:
> {quote}
> batik 1.14 is a dependency of FOP 2.7. 1.14 has CVE issues considered HIGH
> and MEDIUM.
> {color:#DE350B}
> CVE-2022-42890 - HIGH
> CVE-2022-41704 - HIGH
> {color}
> These issues are resolved in batik {color:#DE350B}1.16{color}.
> The existence of these dependency vulnerabilities cause items such as
> buildbreaker to prevent proper clean builds when referencing FOP 2.7. The
> CVE associated with batik 1.14 are considered vulnerability issues by
> security teams who run audits and enforce build breaker scenarios, preventing
> deployments of FOP 2.7 due to the vuln existence.
> WORKAROUND
> The current workaround is for developers to enforce a custom batik dependency
> override to {color:#DE350B}1.16{color}. A FOP 2.7.1 hotfix release just to
> address the batik dependency problem would be appreciated by the extended
> community. It theoretically should not require any FOP code changes.
> {quote}
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
