You are viewing a plain text version of this content. The canonical link for it is here.

Posted to commits@tomee.apache.org by "Robert Schaft (Jira)" <ji...@apache.org> on 2020/08/20 16:45:00 UTC

[jira] [Commented] (TOMEE-2876) Fix cxf CVE issues

    [ https://issues.apache.org/jira/browse/TOMEE-2876?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17181316#comment-17181316 ] 

Robert Schaft commented on TOMEE-2876:
--------------------------------------

If CVE-2019-12406 is not patched for TomEE 7 branch and there is no workaround, you could as well close the branch and say, that TomEE 7 is End of Life, because there are known vulnerabilites, that can't be fixed.

This feature doesn't look like it would be hard to port back.

We are between two chairs here. CXF and TomEE. We decided to go with TomEE 7 one year ago, when TomEE 8 wasn't stable enough. CXF doesn't want to backport, TomEE doesn't want to implement a new API.

We have the same issue in our project. In the current stabilizing phase we want to avoid implementing new APIs. Updating to TomEE v8 is therefore not an option.

 

> Fix cxf CVE issues
> ------------------
>
>                 Key: TOMEE-2876
>                 URL: https://issues.apache.org/jira/browse/TOMEE-2876
>             Project: TomEE
>          Issue Type: Dependency upgrade
>          Components: TomEE Build
>    Affects Versions: 7.1.3
>            Reporter: Leandro Vale
>            Assignee: Jonathan Gallimore
>            Priority: Major
>
> The following CVE vulnerabilities have been identified in cxf 3.1.18:
>  * CVE-2019-12423
>  * CVE-2020-1954
>  * CVE-2019-12406
> Please consider upgrading to at least v3.3.6 (latest v3.3.7).



--
This message was sent by Atlassian Jira
(v8.3.4#803005)