CXF CVE-2019-17573 and CVE-2019-12423

classic Classic list List threaded Threaded
4 messages Options
Reply | Threaded
Open this post in threaded view
|

CXF CVE-2019-17573 and CVE-2019-12423

COURTAULT Francois
Hello TomEE guys,

If it's not too late before releasing next TomEE version, could you take into account the CXF team advice to migrate from 3.3.x to 3.3.5 ?
Current TomEE 8.0.0 release uses CXF 3.3.2.

Best Regards.
Reply | Threaded
Open this post in threaded view
|

Re: CXF CVE-2019-17573 and CVE-2019-12423

jgallimore
It is too late, as the current VOTEs were posted before this was announced,
and I've been trying to get this release out for over a month.

That being said, I would be prepared to roll a subsequent release in fairly
short order afterwards in order to pick this up. Ideally I'd like to try
and release more frequently (like monthly), but if the process takes
multiple weeks, that's unlikely to happen.

We still need 1 more binding +1 on the existing votes, so I'd encourage PMC
members to cast a vote.

Jon

On Thu, Jan 16, 2020 at 2:18 PM COURTAULT Francois <
[hidden email]> wrote:

> Hello TomEE guys,
>
> If it's not too late before releasing next TomEE version, could you take
> into account the CXF team advice to migrate from 3.3.x to 3.3.5 ?
> Current TomEE 8.0.0 release uses CXF 3.3.2.
>
> Best Regards.
>
Reply | Threaded
Open this post in threaded view
|

RE: CXF CVE-2019-17573 and CVE-2019-12423

COURTAULT Francois
Yes.

-----Original Message-----
From: Jonathan Gallimore [mailto:[hidden email]]
Sent: jeudi 16 janvier 2020 15:58
To: [hidden email]
Cc: [hidden email]
Subject: Re: CXF CVE-2019-17573 and CVE-2019-12423

I've applied the change to the master branch. Hopefully the CI won't flag up any issues. I will double check, but I don't think we expose a /services page, or a JWK keys service, so unless you're specifically doing something with CXF in TomEE to use these features, they shouldn't present an issue out of the box. If someone knows different, please let us know.

If the current votes pass, we'll release as is, and kick off another release to pick up the update. If they fail, we'll re-roll, and this will be included. Does that sound reasonable?

Jon

On Thu, Jan 16, 2020 at 2:36 PM Jonathan Gallimore < [hidden email]> wrote:

> It is too late, as the current VOTEs were posted before this was
> announced, and I've been trying to get this release out for over a month.
>
> That being said, I would be prepared to roll a subsequent release in
> fairly short order afterwards in order to pick this up. Ideally I'd
> like to try and release more frequently (like monthly), but if the
> process takes multiple weeks, that's unlikely to happen.
>
> We still need 1 more binding +1 on the existing votes, so I'd
> encourage PMC members to cast a vote.
>
> Jon
>
> On Thu, Jan 16, 2020 at 2:18 PM COURTAULT Francois <
> [hidden email]> wrote:
>
>> Hello TomEE guys,
>>
>> If it's not too late before releasing next TomEE version, could you
>> take into account the CXF team advice to migrate from 3.3.x to 3.3.5 ?
>> Current TomEE 8.0.0 release uses CXF 3.3.2.
>>
>> Best Regards.
>>
>
Reply | Threaded
Open this post in threaded view
|

Re: CXF CVE-2019-17573 and CVE-2019-12423

Zowalla, Richard
In reply to this post by jgallimore
Hi Jon,

I feel your pain. I am +1 for faster releases as well.

Best,
Richard

Am Donnerstag, den 16.01.2020, 14:36 +0000 schrieb Jonathan Gallimore:
It is too late, as the current VOTEs were posted before this was announced,
and I've been trying to get this release out for over a month.

That being said, I would be prepared to roll a subsequent release in fairly
short order afterwards in order to pick this up. Ideally I'd like to try
and release more frequently (like monthly), but if the process takes
multiple weeks, that's unlikely to happen.

We still need 1 more binding +1 on the existing votes, so I'd encourage PMC
members to cast a vote.

Jon

On Thu, Jan 16, 2020 at 2:18 PM COURTAULT Francois <
[hidden email]> wrote:

Hello TomEE guys,

If it's not too late before releasing next TomEE version, could you take
into account the CXF team advice to migrate from 3.3.x to 3.3.5 ?
Current TomEE 8.0.0 release uses CXF 3.3.2.

Best Regards.

-- 


smime.p7s (9K) Download Attachment