[ 
https://issues.apache.org/jira/browse/TOMEE-4047?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17605182#comment-17605182
 ] 

Richard Zowalla commented on TOMEE-4047:
----------------------------------------

We discussed 7.0.x or 7.1.x releases on the 
[[email protected]|mailto:[email protected]] list. The related mail 
thread is [https://lists.apache.org/thread/hjbk86vjkds1os4gcvrpxgfxfn77qrl2] 

*tl;dr*
 * Currently, there is no intention to spend our limited resources on 
maintaining 7.0.x or 7.1.x - the majority of people are working on maintaining 
8.x and/or a release of 9.x + preparation of EE10.
 * Reasons are, that these versions of TomEE rely on other libraries in 
versions, which aren't maintained any more or are also affected by CVEs. A 
prominent example is CXF, you can view a [naive Grype output on the list 
archive|https://lists.apache.org/api/email.lua?attachment=true&id=9qxpkrf4m53crm5cpxj4olo5nnjtm0zx&file=bd7092d9c6760a0abb8aa339233a6003488199eda633d12282640fd1926ecab0].

That said, we are perfectly fine, if someone steps up and addresses the issues 
/ CVEs found in 7.0.x or 7.1.x - however, it needs to be a "complete" job as we 
won't do a release containing known vulnerabilities. The reasoning can be found 
on the linked mail thread in which you are free to raise your opinion / voice. 

> CVE-2022-29885 vulnerability on TomEE 7.0.9 version
> ---------------------------------------------------
>
>                 Key: TOMEE-4047
>                 URL: https://issues.apache.org/jira/browse/TOMEE-4047
>             Project: TomEE
>          Issue Type: Bug
>    Affects Versions: 7.0.9
>            Reporter: Guzman Castanedo
>            Priority: Major
>             Fix For: 7.0.10
>
>
> Hello,
> We are using TomEE 7.0.9 and we have found that this version is affected by 
> CVE-2022-29885, because it uses internally tomcat 8.5.57.
> The tomcat versions affected by this vulnerability are between 8.5.38 and 
> 8.5.78.
> It is planned to fix this issue on next TomEE 7.0 versions?
>  
> We have found the same problem in TomEE 7.1 version.
>  
> References:
>  * [https://nvd.nist.gov/vuln/detail/CVE-2022-29885]
>  
> Thank you very much.
> Best regards.



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

Reply via email to