[#14011] - Update itext dependency

Category:
Task
Priority:
Urgent
Status:
Feedback Requested
Project: Severity:
Major
Resolution:
No Change Required
Component: Reproducibility:
N/A
Assigned to:

net.sf.jasperreports:jasperreports:6.18.1 depends on com.lowagie:itext:2.1.7.js9, which has two known vulnerabilities (CVE-2017-9096 and CVE-2021-43113).

Could jasperreports please update it's itext dependency to a newer version of itext that those of us depending on jasperreeports won't be pulling in a version of itext known to have vulnerabilities?

v6.18.1
ajanuary's picture
Joined: Feb 15 2022 - 7:23am
Last seen: 4 months 1 week ago

2 Comments:

#1

I already reported CVE-2021-43113 in https://community.jaspersoft.com/jasperreports-library/issues/13961 They claim it is a non-issue.

#2
  • Resolution:Open» No Change Required
  • Status:New» Feedback Requested
  • Assigned:nobody» teodord

Hi,

I assume you are aware that since version 5+ there was a change of license for iText, which prevents people from using it for free in commercial applications. Furthermore, the package names have been changed so iText 2.1.7 and iText 5 and iText 7 are all totally different dependencies.
They cannot simply be replaced with one another.

Because of the license change in iText, we have created separate project which acts like a plugin to JasperReports and can be used by those who want latest iText:
https://github.com/Jaspersoft/jasperreports-pdf-lib7

But again, be aware of license.

Thank you,
Teodor

Feedback
randomness