Replace iText 2.1.7 dependency with OpenPDF 1.0.5 [SPR-16352] #20899
I propose to replace the iText 2.1.7 dependency in Spring (spring-webmvc) with OpenPDF 1.0.5. OpenPDF is a maintained fork of iText 4.x which still has a LGPL license. The project is maintained on GitHub: https://github.com/librepdf/openpdf
These are some references to iText 2.1.7 in Spring:
Project GitHub page:
OpenPDF contains a fix for CVE-2017-9096 iText XML External Entity Vulnerability
Referenced from: commits 7a55d93
Juergen Hoeller commented
We have asserted compatibility with OpenPDF in #20655 already. For the time being, we simply didn't replace the dependency because it is optional anyway, and our reference API for compilation purposes is still iText itself.
Point taken, for guidance purposes, we could update even our optional dependency to a current version of OpenPDF. We'll consider that for Spring Framework 5.0.3 which is the release that goes into Spring Boot 2.0 RC1.