[FOP-3104] A FOP 2.7.1 hotfix release with only updated batik dependencies to 1.16 - ASF JIRA

Attach files

Attach Screenshot

Voters

Watch issue

Watchers

Create sub-task

Link

Clone

Update Comment Author

Replace String in Comment

Update Comment Visibility

Delete Comments

XML

Word

Printable

JSON

Details

Type: Wish
Status: Resolved
Priority: Major
Resolution: Duplicate
Affects Version/s: 2.7
Fix Version/s: None
Component/s: None
Labels:
None

Description

Analog to ~~FOP-3097~~ there are new CVE issues reported for Batik:

batik 1.14 is a dependency of FOP 2.7. 1.14 has CVE issues considered HIGH and MEDIUM.

CVE-2022-42890 - HIGH

CVE-2022-41704 - HIGH

These issues are resolved in batik 1.16.

The existence of these dependency vulnerabilities cause items such as buildbreaker to prevent proper clean builds when referencing FOP 2.7. The CVE associated with batik 1.14 are considered vulnerability issues by security teams who run audits and enforce build breaker scenarios, preventing deployments of FOP 2.7 due to the vuln existence.

WORKAROUND

The current workaround is for developers to enforce a custom batik dependency override to 1.16. A FOP 2.7.1 hotfix release just to address the batik dependency problem would be appreciated by the extended community. It theoretically should not require any FOP code changes.