You are viewing a plain text version of this content. The canonical link for it is here.

Posted to commits@tomee.apache.org by "Robert Schaft (Jira)" <ji...@apache.org> on 2020/10/06 14:04:00 UTC

[jira] [Commented] (TOMEE-2876) Fix cxf CVE issues

    [ https://issues.apache.org/jira/browse/TOMEE-2876?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17208770#comment-17208770 ] 

Robert Schaft commented on TOMEE-2876:
--------------------------------------

> JAX-RS is the API, CXF is the implementation. Theoretically, we could change to something different, but TomEE consciously chooses to use Apache implementations where possible. Creating a new implementation of JAX-RS from scratch is likely a very substantial task.

So if CXF is just the implementation, why can't you update to a higher minor CXF version that has the issues fixed?

> Fix cxf CVE issues
> ------------------
>
>                 Key: TOMEE-2876
>                 URL: https://issues.apache.org/jira/browse/TOMEE-2876
>             Project: TomEE
>          Issue Type: Dependency upgrade
>          Components: TomEE Build
>    Affects Versions: 7.1.3
>            Reporter: Leandro Vale
>            Assignee: Jonathan Gallimore
>            Priority: Major
>
> The following CVE vulnerabilities have been identified in cxf 3.1.18:
>  * CVE-2019-12423
>  * CVE-2020-1954
>  * CVE-2019-12406
> Please consider upgrading to at least v3.3.6 (latest v3.3.7).



--
This message was sent by Atlassian Jira
(v8.3.4#803005)