'[jira] [Commented] (TOMEE-2876) Fix cxf CVE issues'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       openejb-cvs
Subject:    [jira] [Commented] (TOMEE-2876) Fix cxf CVE issues
From:       "Jonathan Gallimore (Jira)" <jira () apache ! org>
Date:       2020-08-24 14:36:00
Message-ID: JIRA.13316880.1594807180000.262194.1598279760137 () Atlassian ! JIRA
[Download RAW message or body]


    [ https://issues.apache.org/jira/browse/TOMEE-2876?page=com.atlassian.jira.plugin. \
system.issuetabpanels:comment-tabpanel&focusedCommentId=17183350#comment-17183350 ] 

Jonathan Gallimore commented on TOMEE-2876:
-------------------------------------------

Let's leave this open, because there are some potential options to patch this that \
are worth exploring.

  

With respect to your feedback:

> We are between two chairs here. CXF and TomEE. We decided to go with TomEE 7 one \
> year ago, when TomEE 8 wasn't stable enough. CXF doesn't want to backport, TomEE \
> doesn't want to implement a new API.

JAX-RS is the API, CXF is the implementation. Theoretically, we could change to \
something different, but TomEE consciously chooses to use Apache implementations \
where possible. Creating a new implementation of JAX-RS from scratch is likely a very \
substantial task.

  

> We have the same issue in our project. In the current stabilizing phase we want to \
> avoid implementing new APIs. Updating to TomEE v8 is therefore not an option.  

You'd be moving to a newer version of the JAX-RS API. The APIs tend to be backwards \
compatible (Jakarta EE 9 with the namespace change is an exception). I wouldn't \
expect you to run into issues moving from TomEE 7 -> 8. If you tried it, and did run \
into issues, we'd be interested to know what those issues are.

  

> Fix cxf CVE issues
> ------------------
> 
> Key: TOMEE-2876
> URL: https://issues.apache.org/jira/browse/TOMEE-2876
> Project: TomEE
> Issue Type: Dependency upgrade
> Components: TomEE Build
> Affects Versions: 7.1.3
> Reporter: Leandro Vale
> Assignee: Jonathan Gallimore
> Priority: Major
> 
> The following CVE vulnerabilities have been identified in cxf 3.1.18:
> * CVE-2019-12423
> * CVE-2020-1954
> * CVE-2019-12406
> Please consider upgrading to at least v3.3.6 (latest v3.3.7).



--
This message was sent by Atlassian Jira
(v8.3.4#803005)


[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic