[
https://issues.apache.org/jira/browse/FOP-3106?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
David Campbell updated FOP-3106:
--------------------------------
Description:
There is a security issue [https://nvd.nist.gov/vuln/detail/CVE-2022-40146] in
batik which is a dependency of FOP.
I understand that https://issues.apache.org/jira/browse/BATIK-1335 is the fix
for security issue, but there's no new FOP build that includes the fixed batik
version 1.15 as a dependency.
It appears that the latest FOP is 2.7 and for example
[https://repo1.maven.org/maven2/org/apache/xmlgraphics/fop-parent/2.7/fop-parent-2.7.pom]
says:
<batik.version>1.14</batik.version>
was:
There is a security issue [https://nvd.nist.gov/vuln/detail/CVE-2022-40146] in
batik which is a dependency of FOP.
I understand that https://issues.apache.org/jira/browse/BATIK-1335 is the fix
for security issue, but there's no new FOP build that includes the fixed batik
version 1.15 as a dependency.
> CVE-2022-40146 fix BATIK-1335 in batik dependency not yet included in FOP
> build
> -------------------------------------------------------------------------------
>
> Key: FOP-3106
> URL: https://issues.apache.org/jira/browse/FOP-3106
> Project: FOP
> Issue Type: Bug
> Affects Versions: 2.7
> Reporter: David Campbell
> Priority: Major
>
> There is a security issue [https://nvd.nist.gov/vuln/detail/CVE-2022-40146]
> in batik which is a dependency of FOP.
> I understand that https://issues.apache.org/jira/browse/BATIK-1335 is the fix
> for security issue, but there's no new FOP build that includes the fixed
> batik version 1.15 as a dependency.
> It appears that the latest FOP is 2.7 and for example
> [https://repo1.maven.org/maven2/org/apache/xmlgraphics/fop-parent/2.7/fop-parent-2.7.pom]
> says:
> <batik.version>1.14</batik.version>
>
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
