You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@tomee.apache.org by "Robert Schaft (Jira)" <ji...@apache.org> on 2020/10/06 14:04:00 UTC
[jira] [Commented] (TOMEE-2876) Fix cxf CVE issues
[ https://issues.apache.org/jira/browse/TOMEE-2876?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17208770#comment-17208770 ]
Robert Schaft commented on TOMEE-2876:
--------------------------------------
> JAX-RS is the API, CXF is the implementation. Theoretically, we could change to something different, but TomEE consciously chooses to use Apache implementations where possible. Creating a new implementation of JAX-RS from scratch is likely a very substantial task.
So if CXF is just the implementation, why can't you update to a higher minor CXF version that has the issues fixed?
> Fix cxf CVE issues
> ------------------
>
> Key: TOMEE-2876
> URL: https://issues.apache.org/jira/browse/TOMEE-2876
> Project: TomEE
> Issue Type: Dependency upgrade
> Components: TomEE Build
> Affects Versions: 7.1.3
> Reporter: Leandro Vale
> Assignee: Jonathan Gallimore
> Priority: Major
>
> The following CVE vulnerabilities have been identified in cxf 3.1.18:
> * CVE-2019-12423
> * CVE-2020-1954
> * CVE-2019-12406
> Please consider upgrading to at least v3.3.6 (latest v3.3.7).
--
This message was sent by Atlassian Jira
(v8.3.4#803005)