[prev in list] [next in list] [prev in thread] [next in thread] 

List:       openejb-cvs
Subject:    [jira] [Commented] (TOMEE-2876) Fix cxf CVE issues
From:       "Robert Schaft (Jira)" <jira () apache ! org>
Date:       2020-08-20 16:45:00
Message-ID: JIRA.13316880.1594807180000.247589.1597941900250 () Atlassian ! JIRA
[Download RAW message or body]


    [ https://issues.apache.org/jira/browse/TOMEE-2876?page=com.atlassian.jira.plugin. \
system.issuetabpanels:comment-tabpanel&focusedCommentId=17181316#comment-17181316 ] 

Robert Schaft commented on TOMEE-2876:
--------------------------------------

If CVE-2019-12406 is not patched for TomEE 7 branch and there is no workaround, you \
could as well close the branch and say, that TomEE 7 is End of Life, because there \
are known vulnerabilites, that can't be fixed.

This feature doesn't look like it would be hard to port back.

We are between two chairs here. CXF and TomEE. We decided to go with TomEE 7 one year \
ago, when TomEE 8 wasn't stable enough. CXF doesn't want to backport, TomEE doesn't \
want to implement a new API.

We have the same issue in our project. In the current stabilizing phase we want to \
avoid implementing new APIs. Updating to TomEE v8 is therefore not an option.

  

> Fix cxf CVE issues
> ------------------
> 
> Key: TOMEE-2876
> URL: https://issues.apache.org/jira/browse/TOMEE-2876
> Project: TomEE
> Issue Type: Dependency upgrade
> Components: TomEE Build
> Affects Versions: 7.1.3
> Reporter: Leandro Vale
> Assignee: Jonathan Gallimore
> Priority: Major
> 
> The following CVE vulnerabilities have been identified in cxf 3.1.18:
> * CVE-2019-12423
> * CVE-2020-1954
> * CVE-2019-12406
> Please consider upgrading to at least v3.3.6 (latest v3.3.7).



--
This message was sent by Atlassian Jira
(v8.3.4#803005)


[prev in list] [next in list] [prev in thread] [next in thread]