-
-
Notifications
You must be signed in to change notification settings - Fork 735
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Switch PDF dependency from iText to OpenPDF #780
Comments
First, as said here, "The attack can be carried out by submitting a malicious PDF to an iText application that parses XML data". Second, if you use the Third, the OpenPDF requirements may conflict with the requirements of Jenkins/Confluence/JIRA/etc when using the javamelody plugins. For example, various versions of Jenkins may need dependencies on commons-io 2.4, commons-compress 1.10 and commons-codec 1.9 or other versions. And various versions of JIRA may need dependencies on commons-io 2.1, commons-compress 1.8.1 and commons-codec 1.9 or others. That will never be the same versions compared to the OpenPDF offical requirements and it may cause bugs in Jenkins/Confluence/JIRA/etc or in OpenPDF depending on which versions are used. In summary, if you use |
Fair enough, thanks for considering it. |
Yes, I suppose and I hope that OpenPDF will keep the iText 2.1.7 compatibility for a long time. |
Thanks for considering OpenPDF. I'm the maintainer. Please let me know if you have any issues. @jonnermut Would you consider reopening this? |
Sure, but it’s up to @evernat |
OpenPDF will maintain compatibility with iText indefinitely if possible. We will listen to the feeedback from the users of the library, so some changes could be made if the users wants or needs it. |
related to issue 113 in OpenPDF |
OpenPDF 1.2.5 has been released, where most of the dependencies have been removed. |
iText 2.1.7 is affected by this security issue:
https://nvd.nist.gov/vuln/detail/CVE-2017-9096
OpenPDF is a LGPL/MPL fork of iText 2.1.7 which is maintained:
https://github.com/LibrePDF/OpenPDF
Seems to work fine with java melody, so it would be good if you could switch the dependency, and test with it going forward
The text was updated successfully, but these errors were encountered: