[
https://issues.apache.org/jira/browse/AXIS2-6051?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17819773#comment-17819773
]
Jeff Thomas edited comment on AXIS2-6051 at 2/22/24 7:15 PM:
-------------------------------------------------------------
Hi Robert,
while you are overhauling everything :) one more question - or rather something
to think about...
Is there any chance of getting rid of this dependency in the Axis2 code?
{{ca.juliusdavies:not-yet-commons-ssl:0.3.9}}
It is over 14 years old and brings a CVE warning:
|Certificates.java in Not Yet Commons SSL before 0.3.15 does not properly
verify that the server hostname matches a domain name in the subject's Common
Name (CN) field of the X.509 certificate, which allows man-in-the-middle
attackers to spoof SSL servers via an arbitrary valid certificate.|
[https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3604]
The site from juliusdavies is also no longer online - so no chance of a
surprise fix :D
Cheers, Jeff
was (Author: jwt007):
Hi Robert,
while you are overhauling everything :) one more question - or rather something
to think about...
Is there any chance of getting rid of this dependency in the Axis2 code?
{{ca.juliusdavies:not-yet-commons-ssl:0.3.9}}
It is over 14 years old and brings a CVE warning:
|Certificates.java in Not Yet Commons SSL before 0.3.15 does not properly
verify that the server hostname matches a domain name in the subject's Common
Name (CN) field of the X.509 certificate, which allows man-in-the-middle
attackers to spoof SSL servers via an arbitrary valid certificate.|
[https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3604]
Cheers, Jeff
> Axis2 Future Roadmap in keeping up with new Java Versions
> ---------------------------------------------------------
>
> Key: AXIS2-6051
> URL: https://issues.apache.org/jira/browse/AXIS2-6051
> Project: Axis2
> Issue Type: Wish
> Affects Versions: 1.8.0
> Reporter: Jeff Thomas
> Assignee: Robert Lazarski
> Priority: Major
> Fix For: 1.8.3
>
>
> Related to AXIS2-6035.
> Hi Robert/Andreas/Axis2 Support,
> just a general question about the realistic future of Axis2 (and by extension
> Axiom/Rampart) in keeping up with the quickly changing Java releases.
> We are getting a lot of push from our customers (and our own internal wish to
> use modern java features) to move to java 17+ ... we are hitting more and
> more walls with things like:
> * java modules
> * javax -> jakarta migration // this is a big one!
> ** jakarta.activation
> ** jakarta.validation
> ** jakarta.jms
> ** jakarta.mail
> ** jakarta.jws
> ** jakarta.jaxb
> ** ...
> * Tomcat 10 +
> * and related stuff like
> ** ActiveMQ Artemis (jakarta.jms)
> ** removal of SecurityManager in JDK 19+
> ** etc.
> The sort of general feeling is that unfortunately we are getting pulled
> towards a state of complete incompatibility between Axis2 and current
> supported JVMs / other Frameworks.
> Maybe you can give a bit of feedback about the roadmap for Axis2 and
> addressing the growing gap in dependencies? (and would welcome any info
> about Axiom/Rampart along the same lines). Good or bad news doesn't
> matter...would appreciate having some concrete statement to address our own
> internal planning about the way forward. :)
> Appreciate any info you can provide.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
---------------------------------------------------------------------
To unsubscribe, e-mail: java-dev-unsubscr...@axis.apache.org
For additional commands, e-mail: java-dev-h...@axis.apache.org
