Jasper Ideas

Security fixes need to be released as full releases, not just service packs on top of older releases

We distribute a customized build of JasperReports server in a container. Every installation is a full installation, not an upgrade of an existing server. To incorporate security fixes, we need a full distribution of JasperReports server that includes these fixes.

Unfortunately, the fixes for the October security issues (2021-35494, 2021-35495, and 2021-35496) were only distributed as a service pack that must be installed on top of an older release. We have been using JasperReports Server 7.5.1, which does not include the fixes. The release with the fixes (7.5.2 for us) does not include a full distribution of the product; it is just an incremental overlay over 7.5.1.

Note that 7.5.1 was released as a full installation; this request is just to make 7.5.2 and other security-patch releases follow the same pattern.

This was originally requested in case 02061666, which was dismissed as an enhancement request.

  • Guest
  • Nov 8 2021
  • To be Reviewed
Components JasperReports Server
  • Attach files
  • Guest commented
    13 Jan 08:59am

    Especially relevant for Log4Shell

  • Phil I commented
    17 Nov, 2021 11:08pm

    I too lost over a day of my time on this one.

    Adding to this the format/structure of the readme files changed to no longer have a blank line after added/updated/deleted files which makes automated parsing more difficult.