Uploaded image for project: 'FOP'
  1. FOP
  2. FOP-3097

A FOP 2.7.1 hotfix release with only updated batik dependencies

    XMLWordPrintableJSON

Details

    • Wish
    • Status: Resolved
    • Major
    • Resolution: Fixed
    • 2.7
    • None
    • None
    • None

    Description

      batik 1.14 is a dependency of FOP 2.7. 

      1.14 has CVE issues considered HIGH and MEDIUM.  

      CVE-2022-40146 - HIGH

      CVE-2022-38648 - MEDIUM

      CVE-2022-38398 - MEDIUM

      These issues are resolved in batik 1.15, but 1.15 still contains vulnerabilities.

      CVE-2022-42890 - MEDIUM

       CVE-2022-41704 - MEDIUM

      These issues are resolved in batik 1.16.

      The existence of these dependency vulnerabilities cause items such as buildbreaker to prevent proper clean builds when referencing FOP 2.7.  The CVE associated with batik 1.16 are considered vulnerability issues by security teams who run audits and enforce build breaker scenarios, preventing deployments of FOP 2.7 due to the vuln existence.

      WORKAROUND

      The current workaround is for developers to enforce a custom batik dependency override to 1.16.  A FOP 2.7.1 hotfix release just to address the batik dependency problem would be appreciated by the extended community.  It theoretically should not require any FOP code changes.

      Attachments

        Issue Links

          is cloned by

          Wish - General wishlist item. FOP-3104 A FOP 2.7.1 hotfix release with only updated batik dependencies to 1.16

          • Major - Major loss of function.
          • Resolved

          Activity

            People

              Unassigned Unassigned
              joshdm Joshua Marquart
              Votes:
              0 Vote for this issue
              Watchers:
              3 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: