We are right in the middle of trying to get an Apache Rampart release out and cannot always respond to every Axis2 dep with a CVE.
First of all you may not actually need those deps. Not all deps are mandatory. Secondly, the only thing Axis2 will do is update the pom.xml and indeed via GitHub Dependabot that happens automatically. Without building from source, the way I manage these deps is by using Maven exclusions in the pom.xml of my day job. Using "mvn -X" will show the dependency tree, and with the right config you can update the jars that way. On Wed, Jun 21, 2023 at 6:30 AM Steven Saunders <sjs...@gmail.com> wrote: > Hi Axis2 Dev Mailing List, > > There are some more recent CVEs against Jettison 1.5.0 and Spring > Framework 5.3.21 that are in Axis2 v1.8.2 (latest release). > > Would it be possible to get an Axis2 build with these module components > updated to last release versions? > > Do I need to download Axis2 1.8.2 source and try to maven build it locally > with these modules updated to the new release versions instead? > > Details: > Jettison v1.5.4 addresses CVE-2023-1436 (CVSS v3.1 score in NVD is 7.5) > Spring Framework v5.3.27 addresses CVE-2023-20863 (CVSS v3.1 score in NVD > is 6.5) > > Thanks, > -Steven Saunder >
