[prev in list] [next in list] [prev in thread] [next in thread]
List: openejb-cvs
Subject: [jira] [Commented] (TOMEE-2876) Fix cxf CVE issues
From: "Jonathan Gallimore (Jira)" <jira () apache ! org>
Date: 2020-08-24 14:36:00
Message-ID: JIRA.13316880.1594807180000.262194.1598279760137 () Atlassian ! JIRA
[Download RAW message or body]
[ https://issues.apache.org/jira/browse/TOMEE-2876?page=com.atlassian.jira.plugin. \
system.issuetabpanels:comment-tabpanel&focusedCommentId=17183350#comment-17183350 ]
Jonathan Gallimore commented on TOMEE-2876:
-------------------------------------------
Let's leave this open, because there are some potential options to patch this that \
are worth exploring.
With respect to your feedback:
> We are between two chairs here. CXF and TomEE. We decided to go with TomEE 7 one \
> year ago, when TomEE 8 wasn't stable enough. CXF doesn't want to backport, TomEE \
> doesn't want to implement a new API.
JAX-RS is the API, CXF is the implementation. Theoretically, we could change to \
something different, but TomEE consciously chooses to use Apache implementations \
where possible. Creating a new implementation of JAX-RS from scratch is likely a very \
substantial task.
> We have the same issue in our project. In the current stabilizing phase we want to \
> avoid implementing new APIs. Updating to TomEE v8 is therefore not an option.
You'd be moving to a newer version of the JAX-RS API. The APIs tend to be backwards \
compatible (Jakarta EE 9 with the namespace change is an exception). I wouldn't \
expect you to run into issues moving from TomEE 7 -> 8. If you tried it, and did run \
into issues, we'd be interested to know what those issues are.
> Fix cxf CVE issues
> ------------------
>
> Key: TOMEE-2876
> URL: https://issues.apache.org/jira/browse/TOMEE-2876
> Project: TomEE
> Issue Type: Dependency upgrade
> Components: TomEE Build
> Affects Versions: 7.1.3
> Reporter: Leandro Vale
> Assignee: Jonathan Gallimore
> Priority: Major
>
> The following CVE vulnerabilities have been identified in cxf 3.1.18:
> * CVE-2019-12423
> * CVE-2020-1954
> * CVE-2019-12406
> Please consider upgrading to at least v3.3.6 (latest v3.3.7).
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic