You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@tomee.apache.org by jg...@apache.org on 2021/09/22 13:03:11 UTC
[tomee] branch master updated (e9c1775 -> 0fca723)
This is an automated email from the ASF dual-hosted git repository.
jgallimore pushed a change to branch master
in repository https://gitbox.apache.org/repos/asf/tomee.git.
from e9c1775 Merge branch 'j17'
new a2dc0d5 Revert "TOMEE-2997 - Update OpenSAML to v3.4.6 (transient dependency of wss4j)"
new 0fca723 Update xmlsec to 2.2.3 to mitigate CVE-2021-40690
The 2 revisions listed above as "new" are entirely new to this
repository and will be described in separate emails. The revisions
listed as "add" were already present in the repository and have only
been added to this reference.
Summary of changes:
boms/tomee-microprofile/pom.xml | 2 +-
boms/tomee-plume/pom.xml | 2 +-
boms/tomee-plus/pom.xml | 2 +-
pom.xml | 2 +-
server/openejb-cxf/pom.xml | 106 ++++------------------------------------
5 files changed, 14 insertions(+), 100 deletions(-)
[tomee] 02/02: Update xmlsec to 2.2.3 to mitigate CVE-2021-40690
Posted by jg...@apache.org.
This is an automated email from the ASF dual-hosted git repository.
jgallimore pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/tomee.git
commit 0fca7230c50775ccfd517c9663a1cd89e77b5bb2
Author: Jonathan Gallimore <jo...@jrg.me.uk>
AuthorDate: Wed Sep 22 14:02:11 2021 +0100
Update xmlsec to 2.2.3 to mitigate CVE-2021-40690
---
boms/tomee-microprofile/pom.xml | 2 +-
boms/tomee-plume/pom.xml | 2 +-
boms/tomee-plus/pom.xml | 2 +-
pom.xml | 2 +-
server/openejb-cxf/pom.xml | 11 ++++++++++-
5 files changed, 14 insertions(+), 5 deletions(-)
diff --git a/boms/tomee-microprofile/pom.xml b/boms/tomee-microprofile/pom.xml
index c0fe145..b477597 100644
--- a/boms/tomee-microprofile/pom.xml
+++ b/boms/tomee-microprofile/pom.xml
@@ -851,7 +851,7 @@
<dependency>
<groupId>org.apache.santuario</groupId>
<artifactId>xmlsec</artifactId>
- <version>2.2.1</version>
+ <version>2.2.3</version>
<exclusions>
<exclusion>
<artifactId>*</artifactId>
diff --git a/boms/tomee-plume/pom.xml b/boms/tomee-plume/pom.xml
index 8849e5f..edb43dc 100644
--- a/boms/tomee-plume/pom.xml
+++ b/boms/tomee-plume/pom.xml
@@ -906,7 +906,7 @@
<dependency>
<groupId>org.apache.santuario</groupId>
<artifactId>xmlsec</artifactId>
- <version>2.2.1</version>
+ <version>2.2.3</version>
<exclusions>
<exclusion>
<artifactId>*</artifactId>
diff --git a/boms/tomee-plus/pom.xml b/boms/tomee-plus/pom.xml
index 00b02c9..f643da5 100644
--- a/boms/tomee-plus/pom.xml
+++ b/boms/tomee-plus/pom.xml
@@ -972,7 +972,7 @@
<dependency>
<groupId>org.apache.santuario</groupId>
<artifactId>xmlsec</artifactId>
- <version>2.2.1</version>
+ <version>2.2.3</version>
<exclusions>
<exclusion>
<artifactId>*</artifactId>
diff --git a/pom.xml b/pom.xml
index 4bdbf90..2f11e29 100644
--- a/pom.xml
+++ b/pom.xml
@@ -1585,7 +1585,7 @@
<dependency>
<artifactId>xmlsec</artifactId>
<groupId>org.apache.santuario</groupId>
- <version>2.2.1</version>
+ <version>2.2.3</version>
</dependency>
<dependency>
<groupId>wsdl4j</groupId>
diff --git a/server/openejb-cxf/pom.xml b/server/openejb-cxf/pom.xml
index d41882b..2b77b4f 100644
--- a/server/openejb-cxf/pom.xml
+++ b/server/openejb-cxf/pom.xml
@@ -33,7 +33,7 @@
<properties>
<tomee.build.name>${project.groupId}.server.cxf</tomee.build.name>
- <wss4j.version>2.3.1</wss4j.version>
+ <wss4j.version>2.3.3</wss4j.version>
<openejb.osgi.import.pkg>
org.apache.xml.resolver*;resolution:=optional,
*
@@ -61,11 +61,20 @@
<artifactId>wsdl4j</artifactId>
</dependency>
<dependency>
+ <groupId>org.apache.santuario</groupId>
+ <artifactId>xmlsec</artifactId>
+ <version>2.2.3</version>
+ </dependency>
+ <dependency>
<groupId>org.apache.wss4j</groupId>
<artifactId>wss4j-ws-security-dom</artifactId>
<version>${wss4j.version}</version>
<exclusions>
<exclusion>
+ <groupId>org.apache.santuario</groupId>
+ <artifactId>xmlsec</artifactId>
+ </exclusion>
+ <exclusion>
<groupId>org.apache.geronimo.specs</groupId>
<artifactId>geronimo-javamail_1.4_spec</artifactId>
</exclusion>
[tomee] 01/02: Revert "TOMEE-2997 - Update OpenSAML to v3.4.6
(transient dependency of wss4j)"
Posted by jg...@apache.org.
This is an automated email from the ASF dual-hosted git repository.
jgallimore pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/tomee.git
commit a2dc0d518bbb7aecaff6aa614d582f1c1dbd43fd
Author: Jonathan Gallimore <jo...@jrg.me.uk>
AuthorDate: Wed Sep 22 11:06:34 2021 +0100
Revert "TOMEE-2997 - Update OpenSAML to v3.4.6 (transient dependency of wss4j)"
This reverts commit 91240c9631b9af395f289ee8d48d9c0bd8e3d8c4.
---
server/openejb-cxf/pom.xml | 95 ----------------------------------------------
1 file changed, 95 deletions(-)
diff --git a/server/openejb-cxf/pom.xml b/server/openejb-cxf/pom.xml
index fdc1623..d41882b 100644
--- a/server/openejb-cxf/pom.xml
+++ b/server/openejb-cxf/pom.xml
@@ -34,8 +34,6 @@
<properties>
<tomee.build.name>${project.groupId}.server.cxf</tomee.build.name>
<wss4j.version>2.3.1</wss4j.version>
- <!-- XXX If wss4j is upgraded to >= 2.3.2 (unreleased yet), we can drop the overrides of opensaml -->
- <opensaml.version>3.4.6</opensaml.version>
<openejb.osgi.import.pkg>
org.apache.xml.resolver*;resolution:=optional,
*
@@ -80,10 +78,6 @@
<artifactId>ehcache</artifactId>
</exclusion>
<exclusion>
- <groupId>org.ehcache</groupId>
- <artifactId>ehcache</artifactId>
- </exclusion>
- <exclusion>
<artifactId>guava</artifactId>
<groupId>com.google.guava</groupId>
</exclusion>
@@ -109,91 +103,6 @@
</dependency>
<dependency>
<groupId>org.apache.wss4j</groupId>
- <artifactId>wss4j-ws-security-common</artifactId>
- <version>${wss4j.version}</version>
- <exclusions>
- <exclusion>
- <groupId>org.opensaml</groupId>
- <artifactId>opensaml-saml-impl</artifactId>
- </exclusion>
- <exclusion>
- <groupId>org.opensaml</groupId>
- <artifactId>opensaml-xacml-impl</artifactId>
- </exclusion>
- <exclusion>
- <groupId>org.opensaml</groupId>
- <artifactId>opensaml-xacml-saml-impl</artifactId>
- </exclusion>
- <exclusion>
- <groupId>org.apache.geronimo.specs</groupId>
- <artifactId>geronimo-javamail_1.4_spec</artifactId>
- </exclusion>
- <exclusion>
- <groupId>org.apache.geronimo.javamail</groupId>
- <artifactId>geronimo-javamail_1.4_mail</artifactId>
- </exclusion>
- <exclusion>
- <artifactId>guava</artifactId>
- <groupId>com.google.guava</groupId>
- </exclusion>
- </exclusions>
- </dependency>
- <!-- TOMEE-2997: Override opensaml from the previous artifact "wss4j-ws-security-common" to get >= v3.4.6-->
- <dependency>
- <groupId>org.opensaml</groupId>
- <artifactId>opensaml-saml-impl</artifactId>
- <version>${opensaml.version}</version>
- <exclusions>
- <exclusion>
- <groupId>org.opensaml</groupId>
- <artifactId>opensaml-soap-impl</artifactId>
- </exclusion>
- <exclusion>
- <groupId>org.opensaml</groupId>
- <artifactId>opensaml-storage-api</artifactId>
- </exclusion>
- <exclusion>
- <groupId>org.opensaml</groupId>
- <artifactId>opensaml-messaging-api</artifactId>
- </exclusion>
- <exclusion>
- <groupId>org.apache.velocity</groupId>
- <artifactId>velocity</artifactId>
- </exclusion>
- <exclusion>
- <groupId>org.apache.httpcomponents</groupId>
- <artifactId>httpclient</artifactId>
- </exclusion>
- <exclusion>
- <groupId>com.google.code.findbugs</groupId>
- <artifactId>jsr305</artifactId>
- </exclusion>
- <exclusion>
- <groupId>com.google.guava</groupId>
- <artifactId>guava</artifactId>
- </exclusion>
- <exclusion>
- <groupId>org.cryptacular</groupId>
- <artifactId>cryptacular</artifactId>
- </exclusion>
- <exclusion>
- <groupId>io.dropwizard.metrics</groupId>
- <artifactId>metrics-core</artifactId>
- </exclusion>
- </exclusions>
- </dependency>
- <dependency>
- <groupId>org.opensaml</groupId>
- <artifactId>opensaml-xacml-impl</artifactId>
- <version>${opensaml.version}</version>
- </dependency>
- <dependency>
- <groupId>org.opensaml</groupId>
- <artifactId>opensaml-xacml-saml-impl</artifactId>
- <version>${opensaml.version}</version>
- </dependency>
- <dependency>
- <groupId>org.apache.wss4j</groupId>
<artifactId>wss4j-policy</artifactId>
<version>${wss4j.version}</version>
</dependency>
@@ -206,10 +115,6 @@
<groupId>net.sf.ehcache</groupId>
<artifactId>ehcache</artifactId>
</exclusion>
- <exclusion>
- <groupId>org.ehcache</groupId>
- <artifactId>ehcache</artifactId>
- </exclusion>
</exclusions>
</dependency>
<dependency>