[
https://issues.apache.org/jira/browse/TOMEE-2876?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17208804#comment-17208804
]
Jonathan Gallimore commented on TOMEE-2876:
-------------------------------------------
> So if CXF is just the implementation, why can't you update to a higher minor
>CXF version that has the issues fixed?
In later versions of TomEE, we do. TomEE 7 targets Java EE 7, which has JAX-RS
2.0. TomEE 8 targets EE8, which is JAX-RS 2.1. The JAX-RS 2.0 version of CXF is
3.1.x - we're on the latest version of CXF 3.1.x already.
Again, I'm happy to try and find a way forward with this when I can for TomEE
7.x. It isn't as trivial as doing a simple dependency update.
If moving to TomEE 8 is problematic for people, we definitely interested in the
pain points, and what we can potentially do to move the needle.
> Fix cxf CVE issues
> ------------------
>
> Key: TOMEE-2876
> URL: https://issues.apache.org/jira/browse/TOMEE-2876
> Project: TomEE
> Issue Type: Dependency upgrade
> Components: TomEE Build
> Affects Versions: 7.1.3
> Reporter: Leandro Vale
> Assignee: Jonathan Gallimore
> Priority: Major
>
> The following CVE vulnerabilities have been identified in cxf 3.1.18:
> * CVE-2019-12423
> * CVE-2020-1954
> * CVE-2019-12406
> Please consider upgrading to at least v3.3.6 (latest v3.3.7).
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
