[
https://issues.apache.org/jira/browse/CXF-8687?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17517421#comment-17517421
]
Gary D. Gregory edited comment on CXF-8687 at 4/6/22 3:02 PM:
--------------------------------------------------------------
Hi [~dkulp]
Do you have any guidance on a potential release window?
This issue is flagged for us at work as important if only for the fact that
some CVE scanners flag jars regardless of the actual usage.
was (Author: garydgregory):
{quote}Any chance this will be released quickly as 3.4.7?
{quote}
+1 please
> Version 3.4.6 contains vulnerable spring version
> ------------------------------------------------
>
> Key: CXF-8687
> URL: https://issues.apache.org/jira/browse/CXF-8687
> Project: CXF
> Issue Type: Bug
> Components: Core
> Affects Versions: 3.4.6
> Reporter: Mathieu Veurman
> Priority: Critical
>
> Version 3.4.6 contains the vulnerable spring core version 5.2.19, containing
> this CVE:
> CVE-2022-22965: Spring Framework RCE via Data Binding on JDK 9+
>
> I do see this commit where the proper version of spring is referenced:
> [https://github.com/apache/cxf/commit/0f8b5a2c2a66ab62c931096aaf512390d58fef3d]
>
> Any chance this will be released quickly as 3.4.7?
--
This message was sent by Atlassian Jira
(v8.20.1#820001)
