You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@myfaces.apache.org by lo...@apache.org on 2021/10/21 10:02:04 UTC

[myfaces-tobago] branch tobago-5.x updated: build: workaround for CVE-2021-42340

This is an automated email from the ASF dual-hosted git repository.

lofwyr pushed a commit to branch tobago-5.x
in repository https://gitbox.apache.org/repos/asf/myfaces-tobago.git


The following commit(s) were added to refs/heads/tobago-5.x by this push:
     new 7252eda  build: workaround for CVE-2021-42340
7252eda is described below

commit 7252eda982f9133056450a6ae6262a9afc7c0387
Author: Udo Schnurpfeil <ud...@irian.eu>
AuthorDate: Thu Oct 21 12:01:05 2021 +0200

    build: workaround for CVE-2021-42340
---
 tobago-example/tobago-example-spring-boot/pom.xml | 29 +++++++++++++++++++++++
 1 file changed, 29 insertions(+)

diff --git a/tobago-example/tobago-example-spring-boot/pom.xml b/tobago-example/tobago-example-spring-boot/pom.xml
index c2aa0d8..a58a9dc 100644
--- a/tobago-example/tobago-example-spring-boot/pom.xml
+++ b/tobago-example/tobago-example-spring-boot/pom.xml
@@ -120,8 +120,37 @@
                     <groupId>org.glassfish</groupId>
                     <artifactId>jakarta.el</artifactId>
                 </exclusion>
+            <!-- tomcat version set where: fix CVE in tomcat-spring-boot-starter -->
+                <exclusion>
+                    <groupId>org.apache.tomcat.embed</groupId>
+                    <artifactId>tomcat-embed-core</artifactId>
+                </exclusion>
+                <exclusion>
+                    <groupId>org.apache.tomcat.embed</groupId>
+                    <artifactId>tomcat-embed-jasper</artifactId>
+                </exclusion>
+                <exclusion>
+                    <groupId>org.apache.tomcat.embed</groupId>
+                    <artifactId>tomcat-embed-websocket</artifactId>
+                </exclusion>
             </exclusions>
         </dependency>
+        <!-- tomcat version set where: fix CVE in tomcat-spring-boot-starter -->
+        <dependency>
+            <groupId>org.apache.tomcat.embed</groupId>
+            <artifactId>tomcat-embed-core</artifactId>
+            <version>9.0.54</version>
+        </dependency>
+        <dependency>
+            <groupId>org.apache.tomcat.embed</groupId>
+            <artifactId>tomcat-embed-jasper</artifactId>
+            <version>9.0.54</version>
+        </dependency>
+        <dependency>
+            <groupId>org.apache.tomcat.embed</groupId>
+            <artifactId>tomcat-embed-websocket</artifactId>
+            <version>9.0.54</version>
+        </dependency>
         <dependency>
             <groupId>org.springframework.boot</groupId>
             <artifactId>spring-boot-starter-web</artifactId>