Re: CXF CVE-2019-17573 and CVE-2019-12423

classic Classic list List threaded Threaded
1 message Options
Reply | Threaded
Open this post in threaded view

Re: CXF CVE-2019-17573 and CVE-2019-12423

I've applied the change to the master branch. Hopefully the CI won't flag
up any issues. I will double check, but I don't think we expose a /services
page, or a JWK keys service, so unless you're specifically doing something
with CXF in TomEE to use these features, they shouldn't present an issue
out of the box. If someone knows different, please let us know.

If the current votes pass, we'll release as is, and kick off another
release to pick up the update. If they fail, we'll re-roll, and this will
be included. Does that sound reasonable?


On Thu, Jan 16, 2020 at 2:36 PM Jonathan Gallimore <
[hidden email]> wrote:

> It is too late, as the current VOTEs were posted before this was
> announced, and I've been trying to get this release out for over a month.
> That being said, I would be prepared to roll a subsequent release in
> fairly short order afterwards in order to pick this up. Ideally I'd like to
> try and release more frequently (like monthly), but if the process takes
> multiple weeks, that's unlikely to happen.
> We still need 1 more binding +1 on the existing votes, so I'd encourage
> PMC members to cast a vote.
> Jon
> On Thu, Jan 16, 2020 at 2:18 PM COURTAULT Francois <
> [hidden email]> wrote:
>> Hello TomEE guys,
>> If it's not too late before releasing next TomEE version, could you take
>> into account the CXF team advice to migrate from 3.3.x to 3.3.5 ?
>> Current TomEE 8.0.0 release uses CXF 3.3.2.
>> Best Regards.