CXF CVE-2019-17573 and CVE-2019-12423

[COURTAULT Francois <fr...@thalesgroup.com>]

Hello TomEE guys,

If it's not too late before releasing next TomEE version, could you take into account the CXF team advice to migrate from 3.3.x to 3.3.5 ?
Current TomEE 8.0.0 release uses CXF 3.3.2.

Best Regards.

Re: CXF CVE-2019-17573 and CVE-2019-12423

["Zowalla, Richard" <ri...@hs-heilbronn.de>]

Hi Jon,
I feel your pain. I am +1 for faster releases as well.
Best,Richard
Am Donnerstag, den 16.01.2020, 14:36 +0000 schrieb Jonathan Gallimore:
> It is too late, as the current VOTEs were posted before this was
> announced,and I've been trying to get this release out for over a
> month.
> That being said, I would be prepared to roll a subsequent release in
> fairlyshort order afterwards in order to pick this up. Ideally I'd
> like to tryand release more frequently (like monthly), but if the
> process takesmultiple weeks, that's unlikely to happen.
> We still need 1 more binding +1 on the existing votes, so I'd
> encourage PMCmembers to cast a vote.
> Jon
> On Thu, Jan 16, 2020 at 2:18 PM COURTAULT Francois <
> francois.courtault@thalesgroup.com> wrote:
> Hello TomEE guys,
> If it's not too late before releasing next TomEE version, could you
> takeinto account the CXF team advice to migrate from 3.3.x to 3.3.5
> ?Current TomEE 8.0.0 release uses CXF 3.3.2.
> Best Regards.
-- 

RE: CXF CVE-2019-17573 and CVE-2019-12423

[COURTAULT Francois <fr...@thalesgroup.com>]

Yes.

-----Original Message-----
From: Jonathan Gallimore [mailto:jonathan.gallimore@gmail.com] 
Sent: jeudi 16 janvier 2020 15:58
To: users@tomee.apache.org
Cc: dev@tomee.apache.org
Subject: Re: CXF CVE-2019-17573 and CVE-2019-12423

I've applied the change to the master branch. Hopefully the CI won't flag up any issues. I will double check, but I don't think we expose a /services page, or a JWK keys service, so unless you're specifically doing something with CXF in TomEE to use these features, they shouldn't present an issue out of the box. If someone knows different, please let us know.

If the current votes pass, we'll release as is, and kick off another release to pick up the update. If they fail, we'll re-roll, and this will be included. Does that sound reasonable?

Jon

On Thu, Jan 16, 2020 at 2:36 PM Jonathan Gallimore < jonathan.gallimore@gmail.com> wrote:

> It is too late, as the current VOTEs were posted before this was 
> announced, and I've been trying to get this release out for over a month.
>
> That being said, I would be prepared to roll a subsequent release in 
> fairly short order afterwards in order to pick this up. Ideally I'd 
> like to try and release more frequently (like monthly), but if the 
> process takes multiple weeks, that's unlikely to happen.
>
> We still need 1 more binding +1 on the existing votes, so I'd 
> encourage PMC members to cast a vote.
>
> Jon
>
> On Thu, Jan 16, 2020 at 2:18 PM COURTAULT Francois < 
> francois.courtault@thalesgroup.com> wrote:
>
>> Hello TomEE guys,
>>
>> If it's not too late before releasing next TomEE version, could you 
>> take into account the CXF team advice to migrate from 3.3.x to 3.3.5 ?
>> Current TomEE 8.0.0 release uses CXF 3.3.2.
>>
>> Best Regards.
>>
>

Re: CXF CVE-2019-17573 and CVE-2019-12423

[Jonathan Gallimore <jo...@gmail.com>]

I've applied the change to the master branch. Hopefully the CI won't flag
up any issues. I will double check, but I don't think we expose a /services
page, or a JWK keys service, so unless you're specifically doing something
with CXF in TomEE to use these features, they shouldn't present an issue
out of the box. If someone knows different, please let us know.

If the current votes pass, we'll release as is, and kick off another
release to pick up the update. If they fail, we'll re-roll, and this will
be included. Does that sound reasonable?

Jon

On Thu, Jan 16, 2020 at 2:36 PM Jonathan Gallimore <
jonathan.gallimore@gmail.com> wrote:

> It is too late, as the current VOTEs were posted before this was
> announced, and I've been trying to get this release out for over a month.
>
> That being said, I would be prepared to roll a subsequent release in
> fairly short order afterwards in order to pick this up. Ideally I'd like to
> try and release more frequently (like monthly), but if the process takes
> multiple weeks, that's unlikely to happen.
>
> We still need 1 more binding +1 on the existing votes, so I'd encourage
> PMC members to cast a vote.
>
> Jon
>
> On Thu, Jan 16, 2020 at 2:18 PM COURTAULT Francois <
> francois.courtault@thalesgroup.com> wrote:
>
>> Hello TomEE guys,
>>
>> If it's not too late before releasing next TomEE version, could you take
>> into account the CXF team advice to migrate from 3.3.x to 3.3.5 ?
>> Current TomEE 8.0.0 release uses CXF 3.3.2.
>>
>> Best Regards.
>>
>

Re: CXF CVE-2019-17573 and CVE-2019-12423

[Jonathan Gallimore <jo...@gmail.com>]

I've applied the change to the master branch. Hopefully the CI won't flag
up any issues. I will double check, but I don't think we expose a /services
page, or a JWK keys service, so unless you're specifically doing something
with CXF in TomEE to use these features, they shouldn't present an issue
out of the box. If someone knows different, please let us know.

If the current votes pass, we'll release as is, and kick off another
release to pick up the update. If they fail, we'll re-roll, and this will
be included. Does that sound reasonable?

Jon

On Thu, Jan 16, 2020 at 2:36 PM Jonathan Gallimore <
jonathan.gallimore@gmail.com> wrote:

> It is too late, as the current VOTEs were posted before this was
> announced, and I've been trying to get this release out for over a month.
>
> That being said, I would be prepared to roll a subsequent release in
> fairly short order afterwards in order to pick this up. Ideally I'd like to
> try and release more frequently (like monthly), but if the process takes
> multiple weeks, that's unlikely to happen.
>
> We still need 1 more binding +1 on the existing votes, so I'd encourage
> PMC members to cast a vote.
>
> Jon
>
> On Thu, Jan 16, 2020 at 2:18 PM COURTAULT Francois <
> francois.courtault@thalesgroup.com> wrote:
>
>> Hello TomEE guys,
>>
>> If it's not too late before releasing next TomEE version, could you take
>> into account the CXF team advice to migrate from 3.3.x to 3.3.5 ?
>> Current TomEE 8.0.0 release uses CXF 3.3.2.
>>
>> Best Regards.
>>
>

Re: CXF CVE-2019-17573 and CVE-2019-12423

[Jonathan Gallimore <jo...@gmail.com>]

It is too late, as the current VOTEs were posted before this was announced,
and I've been trying to get this release out for over a month.

That being said, I would be prepared to roll a subsequent release in fairly
short order afterwards in order to pick this up. Ideally I'd like to try
and release more frequently (like monthly), but if the process takes
multiple weeks, that's unlikely to happen.

We still need 1 more binding +1 on the existing votes, so I'd encourage PMC
members to cast a vote.

Jon

On Thu, Jan 16, 2020 at 2:18 PM COURTAULT Francois <
francois.courtault@thalesgroup.com> wrote:

> Hello TomEE guys,
>
> If it's not too late before releasing next TomEE version, could you take
> into account the CXF team advice to migrate from 3.3.x to 3.3.5 ?
> Current TomEE 8.0.0 release uses CXF 3.3.2.
>
> Best Regards.
>

Re: CXF CVE-2019-17573 and CVE-2019-12423

[Jonathan Gallimore <jo...@gmail.com>]

It is too late, as the current VOTEs were posted before this was announced,
and I've been trying to get this release out for over a month.

That being said, I would be prepared to roll a subsequent release in fairly
short order afterwards in order to pick this up. Ideally I'd like to try
and release more frequently (like monthly), but if the process takes
multiple weeks, that's unlikely to happen.

We still need 1 more binding +1 on the existing votes, so I'd encourage PMC
members to cast a vote.

Jon

On Thu, Jan 16, 2020 at 2:18 PM COURTAULT Francois <
francois.courtault@thalesgroup.com> wrote:

> Hello TomEE guys,
>
> If it's not too late before releasing next TomEE version, could you take
> into account the CXF team advice to migrate from 3.3.x to 3.3.5 ?
> Current TomEE 8.0.0 release uses CXF 3.3.2.
>
> Best Regards.
>