iText 2.1.7 CVE-2017-9096

Posted on February 25, 2021 at 12:55am

Hi,

As I know, Jasper Reports use own fork verison iText 2.1.7-js. In the same time, I have no confirmation about closed vulnerabilities (CVE-2017-9096). js1-8 version not mentioned on iText stable tags.

I found a question https://community.jaspersoft.com/questions/1102206/itext-217-and-cve-201... where the same question linked with other vulnerability (CVE-2018-5382) - not the same.

Could you confirm, that CVE-2017-9096 vulenrability fixed in some fork versions or waiting for resolve in some future updates?

Thanks,

Mikhail

JasperReports® Library
misha.filat's picture
misha.filat
2
Joined: Feb 24 2021 - 11:39pm
Last seen: 1 year 1 month ago

1 Answer:

Posted on May 17, 2021 at 9:00pm

In my recent maven library dependency build of  jasperreport 6.17.0, it is still depending on itext 2.1.7, which is a lower version and had reached End of Life.

May I know when will Jasperreports library be updated to use higher version of iText, i.e. itext 7.xx  or moving to another library for pdf generation?

Please do share the roadmap on this.

Thank you

osolariso's picture
osolariso
158
Joined: Mar 23 2021 - 3:06am
Last seen: 1 year 10 months ago
Feedback