Hi Grzegorz, Thanks - I was hoping actually that 2.1.5 would have fixed the CVE, and the CVE information was out of date :-)
Colm. On Fri, Jan 29, 2021 at 10:26 AM Grzegorz Grzybek <[email protected]> wrote: > Hello > > Seeing that Undertow 2.2 is mentioned, I'd just like to highlight that > it's no longer an OSGi bundle (see > https://issues.redhat.com/browse/UNDERTOW-1684) - if this matter at all > for CXF :) > > kind regards > Grzegorz Grzybek > > pt., 29 sty 2021 o 11:19 Colm O hEigeartaigh <[email protected]> > napisaĆ(a): > >> Hey Freeman, >> >> Can you check if the latest Undertow 2.1.x release (2.1.5) is still >> vulnerable to this CVE? >> >> https://nvd.nist.gov/vuln/detail/CVE-2020-10687 >> >> If yes, can we update CXF to Undertow 2.2.x to avoid the CVE? I see Camel >> has already updated. >> >> Thanks, >> >> Colm. >> >
