Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Replace iText 2.1.7 dependency with OpenPDF 1.0.5 [SPR-16352] #20899

Closed
spring-issuemaster opened this issue Jan 5, 2018 · 1 comment

Comments

Projects
None yet
2 participants
@spring-issuemaster
Copy link
Collaborator

commented Jan 5, 2018

Andreas Røsdal opened SPR-16352 and commented

I propose to replace the iText 2.1.7 dependency in Spring (spring-webmvc) with OpenPDF 1.0.5. OpenPDF is a maintained fork of iText 4.x which still has a LGPL license. The project is maintained on GitHub: https://github.com/librepdf/openpdf

These are some references to iText 2.1.7 in Spring:
https://github.com/spring-projects/spring-framework/blob/master/spring-webmvc/spring-webmvc.gradle
https://github.com/spring-projects/spring-framework/search?utf8=%E2%9C%93&q=itext&type=

Project GitHub page:
https://github.com/librepdf/openpdf

OpenPDF contains a fix for CVE-2017-9096 iText XML External Entity Vulnerability
LibrePDF/OpenPDF#56
This sercurity vulerability has not been fixed in iText 2.1.7, since it is no longer maintained.


Issue Links:

  • #20655 Compatibility with OpenPDF as alternative to iText 2.1.7

Referenced from: commits 7a55d93

@spring-issuemaster

This comment has been minimized.

Copy link
Collaborator Author

commented Jan 5, 2018

Juergen Hoeller commented

We have asserted compatibility with OpenPDF in #20655 already. For the time being, we simply didn't replace the dependency because it is optional anyway, and our reference API for compilation purposes is still iText itself.

Point taken, for guidance purposes, we could update even our optional dependency to a current version of OpenPDF. We'll consider that for Spring Framework 5.0.3 which is the release that goes into Spring Boot 2.0 RC1.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.