| Category: | Task |
Priority: | Urgent |
Status: | Feedback Requested |
| Project: | Severity: | Major |
Resolution: | No Change Required |
|
| Component: | Reproducibility: | N/A |
Assigned to: |
net.sf.jasperreports:jasperreports:6.18.1 depends on com.lowagie:itext:2.1.7.js9, which has two known vulnerabilities (CVE-2017-9096 and CVE-2021-43113).
Could jasperreports please update it's itext dependency to a newer version of itext that those of us depending on jasperreeports won't be pulling in a version of itext known to have vulnerabilities?
v6.18.1
2 Comments:
I already reported CVE-2021-43113 in https://community.jaspersoft.com/jasperreports-library/issues/13961 They claim it is a non-issue.
Hi,
I assume you are aware that since version 5+ there was a change of license for iText, which prevents people from using it for free in commercial applications. Furthermore, the package names have been changed so iText 2.1.7 and iText 5 and iText 7 are all totally different dependencies.
They cannot simply be replaced with one another.
Because of the license change in iText, we have created separate project which acts like a plugin to JasperReports and can be used by those who want latest iText:
https://github.com/Jaspersoft/jasperreports-pdf-lib7
But again, be aware of license.
Thank you,
Teodor