[jira] [Commented] (TOMEE-2999) Translate to Spanish: examples/polling-parent

2021-04-07 Thread Evaldo Junior (Jira) 


[ 
https://issues.apache.org/jira/browse/TOMEE-2999?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17316805#comment-17316805
 ] 

Evaldo Junior commented on TOMEE-2999:
--

My PR = https://github.com/apache/tomee/pull/781

> Translate to Spanish: examples/polling-parent
> -
>
> Key: TOMEE-2999
> URL: https://issues.apache.org/jira/browse/TOMEE-2999
> Project: TomEE
>  Issue Type: Sub-task
>  Components: Examples and Documentation
>Affects Versions: 8.0.5
>Reporter: Evaldo Junior
>Assignee: Evaldo Junior
>Priority: Major
>
> Translate into Spanish the README file using a suffix `_es` to allow the 
> Tomee Website to pick up and configure this version and corresponding language



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

[jira] [Assigned] (TOMEE-2999) Translate to Spanish: examples/polling-parent

2021-04-07 Thread Daniel Dias (Jira) 


 [ 
https://issues.apache.org/jira/browse/TOMEE-2999?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Daniel Dias reassigned TOMEE-2999:
--

Assignee: Evaldo Junior

> Translate to Spanish: examples/polling-parent
> -
>
> Key: TOMEE-2999
> URL: https://issues.apache.org/jira/browse/TOMEE-2999
> Project: TomEE
>  Issue Type: Sub-task
>  Components: Examples and Documentation
>Affects Versions: 8.0.5
>Reporter: Evaldo Junior
>Assignee: Evaldo Junior
>Priority: Major
>
> Translate into Spanish the README file using a suffix `_es` to allow the 
> Tomee Website to pick up and configure this version and corresponding language



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

Build failed in Jenkins: TomEE » master-owasp-check #51

2021-04-07 Thread Apache Jenkins Server 
See 


Changes:

[vrossello] Fix MTOM example by using bom artifacts

[vrossello] Fix simple-webservice examples by using bom artifacts

[vrossello] Fix some webservice examples by using bom artifacts

[vrossello] Align dependencies with cxf 3.4.3 and use bom in examples

[vrossello] Fix example temporarily by excluding tomee-security dependency

[vrossello] Fix example using the right dependency scopes

[vrossello] Fix examples: api should be in provided scope

[github] Grammar fixes

[github] Further grammar updates

[David Blevins] Use TomEE BOMs

[David Blevins] Reformatted

[David Blevins] [TOMEE-2994] JAX-RS Provider construction favors constructor 
with the most args

[David Blevins] [TOMEE-2995] Support constructor injection of JAX-RS Application

[Richard Zowalla] TOMEE-2997 - Update OpenSAML to v3.4.6 (transient dependency 
of wss4j)

[Richard Zowalla] TOMEE-2997 - Regenerate BOMs to reflect the OpenSAML Update


--
[...truncated 943.72 KB...]
[Fast Archiver] No prior successful build to compare, so performing full copy 
of artifacts
[JENKINS] Archiving 

 to org.apache.tomee/log4j2-tomee/8.0.7-SNAPSHOT/log4j2-tomee-8.0.7-SNAPSHOT.pom
[Fast Archiver] No prior successful build to compare, so performing full copy 
of artifacts
[JENKINS] Archiving 

 to 
org.superbiz/connector-sample-rar/8.0.7-SNAPSHOT/connector-sample-rar-8.0.7-SNAPSHOT.pom
[JENKINS] Archiving 

 to 
org.superbiz/connector-sample-rar/8.0.7-SNAPSHOT/connector-sample-rar-8.0.7-SNAPSHOT.rar
[JENKINS] Archiving 

 to 
org.superbiz/connector-sample-rar/8.0.7-SNAPSHOT/connector-sample-rar-8.0.7-SNAPSHOT-jakartaee9.rar
[Fast Archiver] No prior successful build to compare, so performing full copy 
of artifacts
[JENKINS] Archiving 

 to org.apache.tomee/tomee/8.0.7-SNAPSHOT/tomee-8.0.7-SNAPSHOT.pom
[Fast Archiver] No prior successful build to compare, so performing full copy 
of artifacts
[JENKINS] Archiving 

 to 
org.superbiz/mp-faulttolerance-retry/8.0.7-SNAPSHOT/mp-faulttolerance-retry-8.0.7-SNAPSHOT.pom
[Fast Archiver] No prior successful build to compare, so performing full copy 
of artifacts
[JENKINS] Archiving 

 to 
org.apache.openejb.itests/failover/8.0.7-SNAPSHOT/failover-8.0.7-SNAPSHOT.pom
[Fast Archiver] No prior successful build to compare, so performing full copy 
of artifacts
[JENKINS] Archiving 

 to 
org.superbiz/rest-applicationcomposer/8.0.7-SNAPSHOT/rest-applicationcomposer-8.0.7-SNAPSHOT.pom
[Fast Archiver] No prior successful build to compare, so performing full copy 
of artifacts
[JENKINS] Archiving 

 to 
org.superbiz/jaxrs-json-provider-jettison/8.0.7-SNAPSHOT/jaxrs-json-provider-jettison-8.0.7-SNAPSHOT.pom
[Fast Archiver] No prior successful build to compare, so performing full copy 
of artifacts
[JENKINS] Archiving 

 to 
org.apache.tomee/tomee-server-version/8.0.7-SNAPSHOT/tomee-server-version-8.0.7-SNAPSHOT.pom
[JENKINS] Archiving 

 to 
org.apache.tomee/tomee-server-version/8.0.7-SNAPSHOT/tomee-server-version-8.0.7-SNAPSHOT.jar
[Fast Archiver] No prior successful build to compare, so performing full copy 
of artifacts
[JENKINS] Archiving 

 to org.superbiz/jaxrs-filter/8.0.7-SNAPSHOT/jaxrs-filter-8.0.7-SNAPSHOT.pom
[JENKINS] Archiving 

 to org.superbiz/jaxrs-filter/8.0.7-SNAPSHOT/jaxrs-filter-8.0.7-SNAPSHOT.war
[Fast Archiver] No prior successful build to compare, so performing full copy 
of artifacts
[JENKINS]

Jenkins build is back to stable : TomEE » master-build-full #141

2021-04-07 Thread Apache Jenkins Server 
See

Jenkins build is back to stable : TomEE » master-build-full » TomEE :: Examples :: Webservice Inheritance #141

2021-04-07 Thread Apache Jenkins Server 
See

Jenkins build is back to stable : TomEE » master-build-full » TomEE :: Web Examples :: Change JAXWS URL #141

2021-04-07 Thread Apache Jenkins Server 
See

Jenkins build is back to stable : TomEE » master-build-full » TomEE :: Examples :: Polling :: Web #141

2021-04-07 Thread Apache Jenkins Server 
See

Jenkins build is back to stable : TomEE » master-build-full » TomEE :: Examples :: Application Composer, JAX-WS and CDI are in a boat #141

2021-04-07 Thread Apache Jenkins Server 
See

Jenkins build is back to stable : TomEE » master-build-full » TomEE :: Web Examples :: EJB WebService WS Security with resources.xml #141

2021-04-07 Thread Apache Jenkins Server 
See

Jenkins build is back to stable : TomEE » master-build-full » TomEE :: Examples :: Simple Webservice Without Interface #141

2021-04-07 Thread Apache Jenkins Server 
See

Jenkins build is back to stable : TomEE » master-build-full » TomEE :: Web Examples :: EJB WebService with Security #141

2021-04-07 Thread Apache Jenkins Server 
See

Jenkins build is back to stable : TomEE » master-build-full » TomEE :: Examples :: @WebService Holder #141

2021-04-07 Thread Apache Jenkins Server 
See

Jenkins build is back to stable : TomEE » master-build-full » TomEE :: Web Examples :: EJB WebService with WS-Security #141

2021-04-07 Thread Apache Jenkins Server 
See

Jenkins build is back to stable : TomEE » master-build-full » TomEE :: Examples :: Simple Webservice #141

2021-04-07 Thread Apache Jenkins Server 
See

Jenkins build is back to stable : TomEE » master-build-full » TomEE :: Examples :: MTOM #141

2021-04-07 Thread Apache Jenkins Server 
See

Jenkins build is back to stable : TomEE » master-build-full » TomEE :: Examples :: Web Service Handlers #141

2021-04-07 Thread Apache Jenkins Server 
See

[jira] [Created] (TOMEE-2999) Translate to Spanish: examples/polling-parent

2021-04-07 Thread Evaldo Junior (Jira) 
Evaldo Junior created TOMEE-2999:


 Summary: Translate to Spanish: examples/polling-parent
 Key: TOMEE-2999
 URL: https://issues.apache.org/jira/browse/TOMEE-2999
 Project: TomEE
  Issue Type: Sub-task
  Components: Examples and Documentation
Affects Versions: 8.0.5
Reporter: Evaldo Junior


Translate into Spanish the README file using a suffix `_es` to allow the Tomee 
Website to pick up and configure this version and corresponding language



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

[jira] [Updated] (TOMEE-2998) Update Tomcat to 9.0.45

2021-04-07 Thread Richard Zowalla (Jira) 


 [ 
https://issues.apache.org/jira/browse/TOMEE-2998?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Richard Zowalla updated TOMEE-2998:
---
Summary: Update Tomcat to 9.0.45  (was: Update to Tomcat 9.0.45)

> Update Tomcat to 9.0.45
> ---
>
> Key: TOMEE-2998
> URL: https://issues.apache.org/jira/browse/TOMEE-2998
> Project: TomEE
>  Issue Type: Dependency upgrade
>  Components: TomEE Core Server
>Affects Versions: 8.0.6
>Reporter: Richard Zowalla
>Assignee: Richard Zowalla
>Priority: Major
>
> https://tomcat.apache.org/tomcat-9.0-doc/changelog.html#Tomcat_9.0.45_(markt)



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

[jira] [Created] (TOMEE-2998) Update to Tomcat 9.0.45

2021-04-07 Thread Richard Zowalla (Jira) 
Richard Zowalla created TOMEE-2998:
--

 Summary: Update to Tomcat 9.0.45
 Key: TOMEE-2998
 URL: https://issues.apache.org/jira/browse/TOMEE-2998
 Project: TomEE
  Issue Type: Dependency upgrade
  Components: TomEE Core Server
Affects Versions: 8.0.6
Reporter: Richard Zowalla
Assignee: Richard Zowalla


https://tomcat.apache.org/tomcat-9.0-doc/changelog.html#Tomcat_9.0.45_(markt)



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

[jira] [Resolved] (TOMEE-2993) API pom for each TomEE distribution

2021-04-07 Thread Richard Zowalla (Jira) 


 [ 
https://issues.apache.org/jira/browse/TOMEE-2993?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Richard Zowalla resolved TOMEE-2993.

Resolution: Fixed

> API pom for each TomEE distribution
> ---
>
> Key: TOMEE-2993
> URL: https://issues.apache.org/jira/browse/TOMEE-2993
> Project: TomEE
>  Issue Type: New Feature
>Reporter: David Blevins
>Assignee: David Blevins
>Priority: Major
> Fix For: 8.0.7
>
>
> Provides a dependency projects can use with scope `provided` along side the 
> pre-existing dependency that contains all TomEE libraries.
>  
> For example, to get TomEE MicroProfile into your classpath with the proper 
> scopes, use these dependencies:
> {code:java}
>  
>    org.apache.tomee.bom
>    tomee-microprofile-api
>    8.0.7-SNAPSHOT
>    provided
>  
>  
>    org.apache.tomee.bom
>    tomee-microprofile
>    8.0.7-SNAPSHOT
>    test
>  {code}



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

[jira] [Assigned] (TOMEE-2993) API pom for each TomEE distribution

2021-04-07 Thread Richard Zowalla (Jira) 


 [ 
https://issues.apache.org/jira/browse/TOMEE-2993?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Richard Zowalla reassigned TOMEE-2993:
--

Assignee: David Blevins

> API pom for each TomEE distribution
> ---
>
> Key: TOMEE-2993
> URL: https://issues.apache.org/jira/browse/TOMEE-2993
> Project: TomEE
>  Issue Type: New Feature
>Reporter: David Blevins
>Assignee: David Blevins
>Priority: Major
> Fix For: 8.0.7
>
>
> Provides a dependency projects can use with scope `provided` along side the 
> pre-existing dependency that contains all TomEE libraries.
>  
> For example, to get TomEE MicroProfile into your classpath with the proper 
> scopes, use these dependencies:
> {code:java}
>  
>    org.apache.tomee.bom
>    tomee-microprofile-api
>    8.0.7-SNAPSHOT
>    provided
>  
>  
>    org.apache.tomee.bom
>    tomee-microprofile
>    8.0.7-SNAPSHOT
>    test
>  {code}



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

[jira] [Updated] (TOMEE-2997) Update OpenSAML to V3.4.6

2021-04-07 Thread Richard Zowalla (Jira) 


 [ 
https://issues.apache.org/jira/browse/TOMEE-2997?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Richard Zowalla updated TOMEE-2997:
---
Summary: Update OpenSAML to V3.4.6  (was: Update OpenSAML to V3.4.6 or 
later)

> Update OpenSAML to V3.4.6
> -
>
> Key: TOMEE-2997
> URL: https://issues.apache.org/jira/browse/TOMEE-2997
> Project: TomEE
>  Issue Type: Dependency upgrade
>  Components: TomEE Core Server
>Affects Versions: 8.0.6
>Reporter: Nikhil
>Assignee: Richard Zowalla
>Priority: Major
> Fix For: 8.0.7
>
> Attachments: opensaml_files.png
>
>
> TomEE latest available version 8.0.6 has the opensaml component version 3.3.1 
> which is vulnerable to security issues mentioned below -
>  
> h1. Vulnerability Details
> h2. CVE-2020-27978
> *Vulnerability Published:* 2020-10-28 11:15 EDT
> *Vulnerability Updated:* 2020-10-28 12:26 EDT
> *CVSS Score:* (under review, not scored yet - updates will be reported in 
> issue comments)
> *Summary*: Shibboleth Identify Provider 3.x before 3.4.6 has a denial of 
> service flaw. A remote unauthenticated attacker can cause a login flow to 
> trigger Java heap exhaustion due to the creation of objects in the Java 
> Servlet container session.
> h2. BDSA-2019-4785
> *Affected Component(s):* OpenSAML 2.0
> *Vulnerability Published:* 2020-10-29 11:37 EDT
> *Vulnerability Updated:* 2020-10-29 11:37 EDT
> *CVSS Score:* 6.5 (overall), {color:#FF}7.5{color} (base)
> *Summary*: Shibboleth Identity Provider is vulnerable to denial-of-service 
> (DoS) due to improper processing of authentication webflows. An attacker 
> could exploit this vulnerability by supplying a system with maliciously 
> crafted requests.
> 
>  
> The issue is fixed in version 3.4.6 or later



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

[jira] [Resolved] (TOMEE-2997) Update OpenSAML to V3.4.6 or later

2021-04-07 Thread Richard Zowalla (Jira) 


 [ 
https://issues.apache.org/jira/browse/TOMEE-2997?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Richard Zowalla resolved TOMEE-2997.

Resolution: Fixed

I updated the OpenSAML dependency to 3.4.6 on the current master.

> Update OpenSAML to V3.4.6 or later
> --
>
> Key: TOMEE-2997
> URL: https://issues.apache.org/jira/browse/TOMEE-2997
> Project: TomEE
>  Issue Type: Dependency upgrade
>  Components: TomEE Core Server
>Affects Versions: 8.0.6
>Reporter: Nikhil
>Assignee: Richard Zowalla
>Priority: Major
> Fix For: 8.0.7
>
> Attachments: opensaml_files.png
>
>
> TomEE latest available version 8.0.6 has the opensaml component version 3.3.1 
> which is vulnerable to security issues mentioned below -
>  
> h1. Vulnerability Details
> h2. CVE-2020-27978
> *Vulnerability Published:* 2020-10-28 11:15 EDT
> *Vulnerability Updated:* 2020-10-28 12:26 EDT
> *CVSS Score:* (under review, not scored yet - updates will be reported in 
> issue comments)
> *Summary*: Shibboleth Identify Provider 3.x before 3.4.6 has a denial of 
> service flaw. A remote unauthenticated attacker can cause a login flow to 
> trigger Java heap exhaustion due to the creation of objects in the Java 
> Servlet container session.
> h2. BDSA-2019-4785
> *Affected Component(s):* OpenSAML 2.0
> *Vulnerability Published:* 2020-10-29 11:37 EDT
> *Vulnerability Updated:* 2020-10-29 11:37 EDT
> *CVSS Score:* 6.5 (overall), {color:#FF}7.5{color} (base)
> *Summary*: Shibboleth Identity Provider is vulnerable to denial-of-service 
> (DoS) due to improper processing of authentication webflows. An attacker 
> could exploit this vulnerability by supplying a system with maliciously 
> crafted requests.
> 
>  
> The issue is fixed in version 3.4.6 or later



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

[tomee] 01/02: TOMEE-2997 - Update OpenSAML to v3.4.6 (transient dependency of wss4j)

2021-04-07 Thread rzo1 
This is an automated email from the ASF dual-hosted git repository.

rzo1 pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/tomee.git

commit 91240c9631b9af395f289ee8d48d9c0bd8e3d8c4
Author: Richard Zowalla <13417392+r...@users.noreply.github.com>
AuthorDate: Wed Apr 7 15:31:50 2021 +0200

TOMEE-2997 - Update OpenSAML to v3.4.6 (transient dependency of wss4j)
---
 server/openejb-cxf/pom.xml | 95 ++
 1 file changed, 95 insertions(+)

diff --git a/server/openejb-cxf/pom.xml b/server/openejb-cxf/pom.xml
index 93c6127..440c460 100644
--- a/server/openejb-cxf/pom.xml
+++ b/server/openejb-cxf/pom.xml
@@ -34,6 +34,8 @@
   
 ${project.groupId}.server.cxf
 2.3.1
+
+3.4.6
 
   org.apache.xml.resolver*;resolution:=optional,
   *
@@ -78,6 +80,10 @@
   ehcache
 
 
+  org.ehcache
+  ehcache
+
+
   guava
   com.google.guava
 
@@ -103,6 +109,91 @@
 
 
   org.apache.wss4j
+  wss4j-ws-security-common
+  ${wss4j.version}
+  
+
+  org.opensaml
+  opensaml-saml-impl
+
+
+  org.opensaml
+  opensaml-xacml-impl
+
+
+  org.opensaml
+  opensaml-xacml-saml-impl
+
+
+  org.apache.geronimo.specs
+  geronimo-javamail_1.4_spec
+
+
+  org.apache.geronimo.javamail
+  geronimo-javamail_1.4_mail
+
+
+  guava
+  com.google.guava
+
+  
+
+
+
+  org.opensaml
+  opensaml-saml-impl
+  ${opensaml.version}
+  
+
+  org.opensaml
+  opensaml-soap-impl
+
+
+  org.opensaml
+  opensaml-storage-api
+
+
+  org.opensaml
+  opensaml-messaging-api
+
+
+  org.apache.velocity
+  velocity
+
+
+  org.apache.httpcomponents
+  httpclient
+
+
+  com.google.code.findbugs
+  jsr305
+
+
+  com.google.guava
+  guava
+
+
+  org.cryptacular
+  cryptacular
+
+
+  io.dropwizard.metrics
+  metrics-core
+
+  
+
+
+  org.opensaml
+  opensaml-xacml-impl
+  ${opensaml.version}
+
+
+  org.opensaml
+  opensaml-xacml-saml-impl
+  ${opensaml.version}
+
+
+  org.apache.wss4j
   wss4j-policy
   ${wss4j.version}
 
@@ -115,6 +206,10 @@
   net.sf.ehcache
   ehcache
 
+
+  org.ehcache
+  ehcache
+

[tomee] 02/02: TOMEE-2997 - Regenerate BOMs to reflect the OpenSAML Update

2021-04-07 Thread rzo1 
This is an automated email from the ASF dual-hosted git repository.

rzo1 pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/tomee.git

commit 40b4915ee755ef046c50e39cd1d2c2a7c390584a
Author: Richard Zowalla <13417392+r...@users.noreply.github.com>
AuthorDate: Wed Apr 7 16:19:10 2021 +0200

TOMEE-2997 - Regenerate BOMs to reflect the OpenSAML Update
---
 boms/tomee-microprofile/pom.xml | 28 ++--
 boms/tomee-plume/pom.xml| 28 ++--
 boms/tomee-plus/pom.xml | 28 ++--
 3 files changed, 42 insertions(+), 42 deletions(-)

diff --git a/boms/tomee-microprofile/pom.xml b/boms/tomee-microprofile/pom.xml
index 8602874..69e197f 100644
--- a/boms/tomee-microprofile/pom.xml
+++ b/boms/tomee-microprofile/pom.xml
@@ -246,7 +246,7 @@
 
   net.shibboleth.utilities
   java-support
-  7.3.0
+  7.5.2
   
 
   *
@@ -1929,7 +1929,7 @@
 
   org.opensaml
   opensaml-core
-  3.3.1
+  3.4.6
   
 
   *
@@ -1940,7 +1940,7 @@
 
   org.opensaml
   opensaml-profile-api
-  3.3.1
+  3.4.6
   
 
   *
@@ -1951,7 +1951,7 @@
 
   org.opensaml
   opensaml-saml-api
-  3.3.1
+  3.4.6
   
 
   *
@@ -1962,7 +1962,7 @@
 
   org.opensaml
   opensaml-saml-impl
-  3.3.1
+  3.4.6
   
 
   *
@@ -1973,7 +1973,7 @@
 
   org.opensaml
   opensaml-security-api
-  3.3.1
+  3.4.6
   
 
   *
@@ -1984,7 +1984,7 @@
 
   org.opensaml
   opensaml-security-impl
-  3.3.1
+  3.4.6
   
 
   *
@@ -1995,7 +1995,7 @@
 
   org.opensaml
   opensaml-soap-api
-  3.3.1
+  3.4.6
   
 
   *
@@ -2006,7 +2006,7 @@
 
   org.opensaml
   opensaml-xacml-api
-  3.3.1
+  3.4.6
   
 
   *
@@ -2017,7 +2017,7 @@
 
   org.opensaml
   opensaml-xacml-impl
-  3.3.1
+  3.4.6
   
 
   *
@@ -2028,7 +2028,7 @@
 
   org.opensaml
   opensaml-xacml-saml-api
-  3.3.1
+  3.4.6
   
 
   *
@@ -2039,7 +2039,7 @@
 
   org.opensaml
   opensaml-xacml-saml-impl
-  3.3.1
+  3.4.6
   
 
   *
@@ -2050,7 +2050,7 @@
 
   org.opensaml
   opensaml-xmlsec-api
-  3.3.1
+  3.4.6
   
 
   *
@@ -2061,7 +2061,7 @@
 
   org.opensaml
   opensaml-xmlsec-impl
-  3.3.1
+  3.4.6
   
 
   *
diff --git a/boms/tomee-plume/pom.xml b/boms/tomee-plume/pom.xml
index 0a527c4..4e058e0 100644
--- a/boms/tomee-plume/pom.xml
+++ b/boms/tomee-plume/pom.xml
@@ -246,7 +246,7 @@
 
   net.shibboleth.utilities
   java-support
-  7.3.0
+  7.5.2
   
 
   *
@@ -2039,7 +2039,7 @@
 
   org.opensaml
   opensaml-core
-  3.3.1
+  3.4.6
   
 
   *
@@ -2050,7 +2050,7 @@
 
   org.opensaml
   opensaml-profile-api
-  3.3.1
+  3.4.6
   
 
   *
@@ -2061,7 +2061,7 @@
 
   org.opensaml
   opensaml-saml-api
-  3.3.1
+  3.4.6
   
 
   *
@@ -2072,7 +2072,7 @@
 
   org.opensaml
   opensaml-saml-impl
-  3.3.1
+  3.4.6
   
 
   *
@@ -2083,7 +2083,7 @@
 
   org.opensaml
   opensaml-security-api
-  3.3.1
+  3.4.6
   
 
   *
@@ -2094,7 +2094,7 @@
 
   org.opensaml
   opensaml-security-impl
-  3.3.1
+  3.4.6
   
 
   *
@@ -2105,7 +2105,7 @@
 
   org.opensaml
   opensaml-soap-api
-  3.3.1
+  3.4.6
   
 
   *
@@ -2116,7 +2116,7 @@
 
   org.opensaml
   opensaml-xacml-api
-  3.3.1
+  3.4.6
   
 
   *
@@ -2127,7 +2127,7 @@
 
   org.opensaml
   opensaml-xacml-impl
-  3.3.1
+  3.4.6
   
 
   *
@@ -2138,7 +2138,7 @@
 
   org.opensaml
   opensaml-xacml-saml-api
-  3.3.1
+  3.4.6
   
 
   *
@@ -2149,7 +2149,7 @@
 
   org.opensaml
   opensaml-xacml-saml-impl
-  3.3.1
+  3.4.6
   
 
   *
@@ -2160,7 +2160,7 @@
 
   org.opensaml
   opensaml-xmlsec-api
-  3.3.1
+  3.4.6
   
 
   *
@@ -2171,7 +2171,7 @@
 
   org.opensaml
   opensaml-xmlsec-impl
-  3.3.1
+  3.4.6
   
 
   *
diff --git a/boms/tomee-plus/pom.xml b/boms/tomee-plus/pom.xml
index aff0c99..3b30c2f 100644
--- a/boms/tomee-plus/pom.xml
+++ b/boms/tomee-plus/pom.xml
@@ -246,7 +246,7 @@
 
   net.shibboleth.utilities
   java-support
-  7.3.0
+  7.5.2
   
 
   *
@@ -2061,7

[tomee] branch master updated (a061c74 -> 40b4915)

2021-04-07 Thread rzo1 
This is an automated email from the ASF dual-hosted git repository.

rzo1 pushed a change to branch master
in repository https://gitbox.apache.org/repos/asf/tomee.git.


from a061c74  [TOMEE-2995] Support constructor injection of JAX-RS 
Application
 new 91240c9  TOMEE-2997 - Update OpenSAML to v3.4.6 (transient dependency 
of wss4j)
 new 40b4915  TOMEE-2997 - Regenerate BOMs to reflect the OpenSAML Update

The 2 revisions listed above as "new" are entirely new to this
repository and will be described in separate emails.  The revisions
listed as "add" were already present in the repository and have only
been added to this reference.


Summary of changes:
 boms/tomee-microprofile/pom.xml | 28 ++--
 boms/tomee-plume/pom.xml| 28 ++--
 boms/tomee-plus/pom.xml | 28 ++--
 server/openejb-cxf/pom.xml  | 95 +
 4 files changed, 137 insertions(+), 42 deletions(-)

[jira] [Updated] (TOMEE-2997) Update OpenSAML to V3.4.6 or later

2021-04-07 Thread Richard Zowalla (Jira) 


 [ 
https://issues.apache.org/jira/browse/TOMEE-2997?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Richard Zowalla updated TOMEE-2997:
---
Fix Version/s: 8.0.7

> Update OpenSAML to V3.4.6 or later
> --
>
> Key: TOMEE-2997
> URL: https://issues.apache.org/jira/browse/TOMEE-2997
> Project: TomEE
>  Issue Type: Dependency upgrade
>  Components: TomEE Core Server
>Affects Versions: 8.0.6
>Reporter: Nikhil
>Assignee: Richard Zowalla
>Priority: Major
> Fix For: 8.0.7
>
> Attachments: opensaml_files.png
>
>
> TomEE latest available version 8.0.6 has the opensaml component version 3.3.1 
> which is vulnerable to security issues mentioned below -
>  
> h1. Vulnerability Details
> h2. CVE-2020-27978
> *Vulnerability Published:* 2020-10-28 11:15 EDT
> *Vulnerability Updated:* 2020-10-28 12:26 EDT
> *CVSS Score:* (under review, not scored yet - updates will be reported in 
> issue comments)
> *Summary*: Shibboleth Identify Provider 3.x before 3.4.6 has a denial of 
> service flaw. A remote unauthenticated attacker can cause a login flow to 
> trigger Java heap exhaustion due to the creation of objects in the Java 
> Servlet container session.
> h2. BDSA-2019-4785
> *Affected Component(s):* OpenSAML 2.0
> *Vulnerability Published:* 2020-10-29 11:37 EDT
> *Vulnerability Updated:* 2020-10-29 11:37 EDT
> *CVSS Score:* 6.5 (overall), {color:#FF}7.5{color} (base)
> *Summary*: Shibboleth Identity Provider is vulnerable to denial-of-service 
> (DoS) due to improper processing of authentication webflows. An attacker 
> could exploit this vulnerability by supplying a system with maliciously 
> crafted requests.
> 
>  
> The issue is fixed in version 3.4.6 or later



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

[jira] [Assigned] (TOMEE-2997) Update OpenSAML to V3.4.6 or later

2021-04-07 Thread Richard Zowalla (Jira) 


 [ 
https://issues.apache.org/jira/browse/TOMEE-2997?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Richard Zowalla reassigned TOMEE-2997:
--

Assignee: Richard Zowalla

> Update OpenSAML to V3.4.6 or later
> --
>
> Key: TOMEE-2997
> URL: https://issues.apache.org/jira/browse/TOMEE-2997
> Project: TomEE
>  Issue Type: Dependency upgrade
>  Components: TomEE Core Server
>Affects Versions: 8.0.6
>Reporter: Nikhil
>Assignee: Richard Zowalla
>Priority: Major
> Attachments: opensaml_files.png
>
>
> TomEE latest available version 8.0.6 has the opensaml component version 3.3.1 
> which is vulnerable to security issues mentioned below -
>  
> h1. Vulnerability Details
> h2. CVE-2020-27978
> *Vulnerability Published:* 2020-10-28 11:15 EDT
> *Vulnerability Updated:* 2020-10-28 12:26 EDT
> *CVSS Score:* (under review, not scored yet - updates will be reported in 
> issue comments)
> *Summary*: Shibboleth Identify Provider 3.x before 3.4.6 has a denial of 
> service flaw. A remote unauthenticated attacker can cause a login flow to 
> trigger Java heap exhaustion due to the creation of objects in the Java 
> Servlet container session.
> h2. BDSA-2019-4785
> *Affected Component(s):* OpenSAML 2.0
> *Vulnerability Published:* 2020-10-29 11:37 EDT
> *Vulnerability Updated:* 2020-10-29 11:37 EDT
> *CVSS Score:* 6.5 (overall), {color:#FF}7.5{color} (base)
> *Summary*: Shibboleth Identity Provider is vulnerable to denial-of-service 
> (DoS) due to improper processing of authentication webflows. An attacker 
> could exploit this vulnerability by supplying a system with maliciously 
> crafted requests.
> 
>  
> The issue is fixed in version 3.4.6 or later



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

[jira] [Commented] (TOMEE-2997) Update OpenSAML to V3.4.6 or later

2021-04-07 Thread Nikhil (Jira) 


[ 
https://issues.apache.org/jira/browse/TOMEE-2997?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17316293#comment-17316293
 ] 

Nikhil commented on TOMEE-2997:
---

Thanks for the update [~rzo1] 

 

IMHO, it is considerably easy & lesser effort to update opensaml to version 
3.4.6 (since it is currently on 3.4.5) and there are no major changes as such.  

> Update OpenSAML to V3.4.6 or later
> --
>
> Key: TOMEE-2997
> URL: https://issues.apache.org/jira/browse/TOMEE-2997
> Project: TomEE
>  Issue Type: Dependency upgrade
>  Components: TomEE Core Server
>Affects Versions: 8.0.6
>Reporter: Nikhil
>Priority: Major
> Attachments: opensaml_files.png
>
>
> TomEE latest available version 8.0.6 has the opensaml component version 3.3.1 
> which is vulnerable to security issues mentioned below -
>  
> h1. Vulnerability Details
> h2. CVE-2020-27978
> *Vulnerability Published:* 2020-10-28 11:15 EDT
> *Vulnerability Updated:* 2020-10-28 12:26 EDT
> *CVSS Score:* (under review, not scored yet - updates will be reported in 
> issue comments)
> *Summary*: Shibboleth Identify Provider 3.x before 3.4.6 has a denial of 
> service flaw. A remote unauthenticated attacker can cause a login flow to 
> trigger Java heap exhaustion due to the creation of objects in the Java 
> Servlet container session.
> h2. BDSA-2019-4785
> *Affected Component(s):* OpenSAML 2.0
> *Vulnerability Published:* 2020-10-29 11:37 EDT
> *Vulnerability Updated:* 2020-10-29 11:37 EDT
> *CVSS Score:* 6.5 (overall), {color:#FF}7.5{color} (base)
> *Summary*: Shibboleth Identity Provider is vulnerable to denial-of-service 
> (DoS) due to improper processing of authentication webflows. An attacker 
> could exploit this vulnerability by supplying a system with maliciously 
> crafted requests.
> 
>  
> The issue is fixed in version 3.4.6 or later



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

[jira] [Commented] (TOMEE-2997) Update OpenSAML to V3.4.6 or later

2021-04-07 Thread Richard Zowalla (Jira) 


[ 
https://issues.apache.org/jira/browse/TOMEE-2997?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17316190#comment-17316190
 ] 

Richard Zowalla commented on TOMEE-2997:


Yup. I already got the intention behind the report.

>From a dev perspective:
 * We are at 3.4.5 on the current master (8.0.7-SNAPSHOT) but we need to be >= 
3.4.6 to mitigate it.
 * The opensaml libraries are  transient dependencies of wss4j. 

 

Thus, we either need to update wss4j to 2.3.2 (unreleased yet) *or* override 
opensaml to 3.4.6 in the TomEE codebase until 2.3.2 gets released ;)

> Update OpenSAML to V3.4.6 or later
> --
>
> Key: TOMEE-2997
> URL: https://issues.apache.org/jira/browse/TOMEE-2997
> Project: TomEE
>  Issue Type: Dependency upgrade
>  Components: TomEE Core Server
>Affects Versions: 8.0.6
>Reporter: Nikhil
>Priority: Major
> Attachments: opensaml_files.png
>
>
> TomEE latest available version 8.0.6 has the opensaml component version 3.3.1 
> which is vulnerable to security issues mentioned below -
>  
> h1. Vulnerability Details
> h2. CVE-2020-27978
> *Vulnerability Published:* 2020-10-28 11:15 EDT
> *Vulnerability Updated:* 2020-10-28 12:26 EDT
> *CVSS Score:* (under review, not scored yet - updates will be reported in 
> issue comments)
> *Summary*: Shibboleth Identify Provider 3.x before 3.4.6 has a denial of 
> service flaw. A remote unauthenticated attacker can cause a login flow to 
> trigger Java heap exhaustion due to the creation of objects in the Java 
> Servlet container session.
> h2. BDSA-2019-4785
> *Affected Component(s):* OpenSAML 2.0
> *Vulnerability Published:* 2020-10-29 11:37 EDT
> *Vulnerability Updated:* 2020-10-29 11:37 EDT
> *CVSS Score:* 6.5 (overall), {color:#FF}7.5{color} (base)
> *Summary*: Shibboleth Identity Provider is vulnerable to denial-of-service 
> (DoS) due to improper processing of authentication webflows. An attacker 
> could exploit this vulnerability by supplying a system with maliciously 
> crafted requests.
> 
>  
> The issue is fixed in version 3.4.6 or later



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

[jira] [Updated] (TOMEE-2997) Update OpenSAML to V3.4.6 or later

2021-04-07 Thread Nikhil (Jira) 


 [ 
https://issues.apache.org/jira/browse/TOMEE-2997?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Nikhil updated TOMEE-2997:
--
Attachment: opensaml_files.png

> Update OpenSAML to V3.4.6 or later
> --
>
> Key: TOMEE-2997
> URL: https://issues.apache.org/jira/browse/TOMEE-2997
> Project: TomEE
>  Issue Type: Dependency upgrade
>  Components: TomEE Core Server
>Affects Versions: 8.0.6
>Reporter: Nikhil
>Priority: Major
> Attachments: opensaml_files.png
>
>
> TomEE latest available version 8.0.6 has the opensaml component version 3.3.1 
> which is vulnerable to security issues mentioned below -
>  
> h1. Vulnerability Details
> h2. CVE-2020-27978
> *Vulnerability Published:* 2020-10-28 11:15 EDT
> *Vulnerability Updated:* 2020-10-28 12:26 EDT
> *CVSS Score:* (under review, not scored yet - updates will be reported in 
> issue comments)
> *Summary*: Shibboleth Identify Provider 3.x before 3.4.6 has a denial of 
> service flaw. A remote unauthenticated attacker can cause a login flow to 
> trigger Java heap exhaustion due to the creation of objects in the Java 
> Servlet container session.
> h2. BDSA-2019-4785
> *Affected Component(s):* OpenSAML 2.0
> *Vulnerability Published:* 2020-10-29 11:37 EDT
> *Vulnerability Updated:* 2020-10-29 11:37 EDT
> *CVSS Score:* 6.5 (overall), {color:#FF}7.5{color} (base)
> *Summary*: Shibboleth Identity Provider is vulnerable to denial-of-service 
> (DoS) due to improper processing of authentication webflows. An attacker 
> could exploit this vulnerability by supplying a system with maliciously 
> crafted requests.
> 
>  
> The issue is fixed in version 3.4.6 or later



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

[jira] [Commented] (TOMEE-2997) Update OpenSAML to V3.4.6 or later

2021-04-07 Thread Nikhil (Jira) 


[ 
https://issues.apache.org/jira/browse/TOMEE-2997?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17316189#comment-17316189
 ] 

Nikhil commented on TOMEE-2997:
---

Hi [~rzo1]

 

we are referring to the opensaml libraries (such as opensaml-core-3.3.1.jar 
etc) that are part of TomEE distribution, the complete list is as shown in 
attached file.

> Update OpenSAML to V3.4.6 or later
> --
>
> Key: TOMEE-2997
> URL: https://issues.apache.org/jira/browse/TOMEE-2997
> Project: TomEE
>  Issue Type: Dependency upgrade
>  Components: TomEE Core Server
>Affects Versions: 8.0.6
>Reporter: Nikhil
>Priority: Major
> Attachments: opensaml_files.png
>
>
> TomEE latest available version 8.0.6 has the opensaml component version 3.3.1 
> which is vulnerable to security issues mentioned below -
>  
> h1. Vulnerability Details
> h2. CVE-2020-27978
> *Vulnerability Published:* 2020-10-28 11:15 EDT
> *Vulnerability Updated:* 2020-10-28 12:26 EDT
> *CVSS Score:* (under review, not scored yet - updates will be reported in 
> issue comments)
> *Summary*: Shibboleth Identify Provider 3.x before 3.4.6 has a denial of 
> service flaw. A remote unauthenticated attacker can cause a login flow to 
> trigger Java heap exhaustion due to the creation of objects in the Java 
> Servlet container session.
> h2. BDSA-2019-4785
> *Affected Component(s):* OpenSAML 2.0
> *Vulnerability Published:* 2020-10-29 11:37 EDT
> *Vulnerability Updated:* 2020-10-29 11:37 EDT
> *CVSS Score:* 6.5 (overall), {color:#FF}7.5{color} (base)
> *Summary*: Shibboleth Identity Provider is vulnerable to denial-of-service 
> (DoS) due to improper processing of authentication webflows. An attacker 
> could exploit this vulnerability by supplying a system with maliciously 
> crafted requests.
> 
>  
> The issue is fixed in version 3.4.6 or later



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

[jira] [Commented] (TOMEE-2997) Update OpenSAML to V3.4.6 or later

2021-04-07 Thread Richard Zowalla (Jira) 


[ 
https://issues.apache.org/jira/browse/TOMEE-2997?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17316176#comment-17316176
 ] 

Richard Zowalla commented on TOMEE-2997:


The related updated was conducted with 
[https://github.com/apache/ws-wss4j/commit/d2b5b207d5fe53c96aee6a98be7663194ac306b6]
 in the wss4j project. I guess, that the next release 2.3.2 will take care of 
the transient dependency but if we want to mitigate it before a 2.3.2 release 
is out, we would need to override this transient dependency in our code. wdyt?

> Update OpenSAML to V3.4.6 or later
> --
>
> Key: TOMEE-2997
> URL: https://issues.apache.org/jira/browse/TOMEE-2997
> Project: TomEE
>  Issue Type: Dependency upgrade
>  Components: TomEE Core Server
>Affects Versions: 8.0.6
>Reporter: Nikhil
>Priority: Major
>
> TomEE latest available version 8.0.6 has the opensaml component version 3.3.1 
> which is vulnerable to security issues mentioned below -
>  
> h1. Vulnerability Details
> h2. CVE-2020-27978
> *Vulnerability Published:* 2020-10-28 11:15 EDT
> *Vulnerability Updated:* 2020-10-28 12:26 EDT
> *CVSS Score:* (under review, not scored yet - updates will be reported in 
> issue comments)
> *Summary*: Shibboleth Identify Provider 3.x before 3.4.6 has a denial of 
> service flaw. A remote unauthenticated attacker can cause a login flow to 
> trigger Java heap exhaustion due to the creation of objects in the Java 
> Servlet container session.
> h2. BDSA-2019-4785
> *Affected Component(s):* OpenSAML 2.0
> *Vulnerability Published:* 2020-10-29 11:37 EDT
> *Vulnerability Updated:* 2020-10-29 11:37 EDT
> *CVSS Score:* 6.5 (overall), {color:#FF}7.5{color} (base)
> *Summary*: Shibboleth Identity Provider is vulnerable to denial-of-service 
> (DoS) due to improper processing of authentication webflows. An attacker 
> could exploit this vulnerability by supplying a system with maliciously 
> crafted requests.
> 
>  
> The issue is fixed in version 3.4.6 or later



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

[jira] [Commented] (TOMEE-2997) Update OpenSAML to V3.4.6 or later

2021-04-07 Thread Richard Zowalla (Jira) 


[ 
https://issues.apache.org/jira/browse/TOMEE-2997?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17316146#comment-17316146
 ] 

Richard Zowalla commented on TOMEE-2997:


It seems, we have upgraded to wss4j (2.3.1) which brings opensaml in version 
3.4.5 with it.

I guess, we would need to (a) check the changelogs of 3.4.6 and (b) override 
this transient dependency of wss4j to get v3.4.6. 

Afaik, we are at v3.4.5 on master atm.

> Update OpenSAML to V3.4.6 or later
> --
>
> Key: TOMEE-2997
> URL: https://issues.apache.org/jira/browse/TOMEE-2997
> Project: TomEE
>  Issue Type: Dependency upgrade
>  Components: TomEE Core Server
>Affects Versions: 8.0.6
>Reporter: Nikhil
>Priority: Major
>
> TomEE latest available version 8.0.6 has the opensaml component version 3.3.1 
> which is vulnerable to security issues mentioned below -
>  
> h1. Vulnerability Details
> h2. CVE-2020-27978
> *Vulnerability Published:* 2020-10-28 11:15 EDT
> *Vulnerability Updated:* 2020-10-28 12:26 EDT
> *CVSS Score:* (under review, not scored yet - updates will be reported in 
> issue comments)
> *Summary*: Shibboleth Identify Provider 3.x before 3.4.6 has a denial of 
> service flaw. A remote unauthenticated attacker can cause a login flow to 
> trigger Java heap exhaustion due to the creation of objects in the Java 
> Servlet container session.
> h2. BDSA-2019-4785
> *Affected Component(s):* OpenSAML 2.0
> *Vulnerability Published:* 2020-10-29 11:37 EDT
> *Vulnerability Updated:* 2020-10-29 11:37 EDT
> *CVSS Score:* 6.5 (overall), {color:#FF}7.5{color} (base)
> *Summary*: Shibboleth Identity Provider is vulnerable to denial-of-service 
> (DoS) due to improper processing of authentication webflows. An attacker 
> could exploit this vulnerability by supplying a system with maliciously 
> crafted requests.
> 
>  
> The issue is fixed in version 3.4.6 or later



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

[jira] [Commented] (TOMEE-2996) Upgrade CXF to 3.3.10 / 3.4.3 in TomEE

2021-04-07 Thread Nikhil (Jira) 


[ 
https://issues.apache.org/jira/browse/TOMEE-2996?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17316133#comment-17316133
 ] 

Nikhil commented on TOMEE-2996:
---

Thanks for the reference [~rzo1]

 

Can you please let us know if there is any idea on TomEE 8.0.7 release 
timelines ?

> Upgrade CXF to 3.3.10 / 3.4.3 in TomEE
> --
>
> Key: TOMEE-2996
> URL: https://issues.apache.org/jira/browse/TOMEE-2996
> Project: TomEE
>  Issue Type: Dependency upgrade
>  Components: TomEE Core Server
>Affects Versions: 8.0.6
>Reporter: Nikhil
>Priority: Major
> Fix For: 8.0.7
>
>
> Apache Tomee version 8.0.6 contains vulnerable version of cxf libraries (I.e. 
> *cxf-core-3.3.8.jar*).
>  
> _See Apache CXF - *CVE-2021-22696* for more details._
>  
> h1. Vulnerability Details
> h2. CVE-2021-22696
> *Vulnerability Published:* 2021-04-02 06:15 EDT
> *Vulnerability Updated:* 2021-04-02 14:15 EDT
> *CVSS Score:* (under review, not scored yet - updates will be reported in 
> issue comments)
> *Summary*: CXF supports (via JwtRequestCodeFilter) passing OAuth 2 parameters 
> via a JWT token as opposed to query parameters (see: The OAuth 2.0 
> Authorization Framework: JWT Secured Authorization Request (JAR)). Instead of 
> sending a JWT token as a "request" parameter, the spec also supports 
> specifying a URI from which to retrieve a JWT token from via the 
> "request_uri" parameter. CXF was not validating the "request_uri" parameter 
> (apart from ensuring it uses "https) and was making a REST request to the 
> parameter in the request to retrieve a token. This means that CXF was 
> vulnerable to DDos attacks on the authorization server, as specified in 
> section 10.4.1 of the spec. This issue affects Apache CXF versions prior to 
> 3.4.3; Apache CXF versions prior to 3.3.10.
> *Solution*: N/A
> *Workaround*: N/A
> h2. BDSA-2021-0853
> *Affected Component(s):* Apache CXF
> *Vulnerability Published:* 2021-04-02 11:35 EDT
> *Vulnerability Updated:* 2021-04-02 11:35 EDT
> *CVSS Score:* 6.5 (overall), {color:#FF}7.5{color} (base)
> *Summary*: Apache CXF is vulnerable to distributed denial-of-service (DDoS) 
> via passing *OAuth 2* parameters via a *JWT* token. An attacker could exploit 
> this in order to cause the authorization server to crash.
> *Solution*: Fixed in 
> [*3.4.3*|https://github.com/apache/cxf/releases/tag/cxf-3.4.3] by 
> [this|https://github.com/apache/cxf/commit/7d5d2c7a019dd1e1d0566daf9f1ed5b7b0dd66b7]
>  and 
> [this|https://github.com/apache/cxf/commit/aee3bf291a7387cc492aa0dbdb0fb2af96687994]
>  commit. Fixed in 
> [*3.3.10*|https://github.com/apache/cxf/releases/tag/cxf-3.3.10] by 
> [this|https://github.com/apache/cxf/commit/69953c8320629d9e44bee3419fb7b634d04a43da]
>  and 
> [this|https://github.com/apache/cxf/commit/10cb20adba95dad3dd37317059a9230e155401ca]
>  commit.
> The latest stable releases are available 
> [here|https://github.com/apache/cxf/releases].
> *Workaround*: N/A
>  



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

[jira] [Resolved] (TOMEE-2996) Upgrade CXF to 3.3.10 / 3.4.3 in TomEE

2021-04-07 Thread Richard Zowalla (Jira) 


 [ 
https://issues.apache.org/jira/browse/TOMEE-2996?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Richard Zowalla resolved TOMEE-2996.

Fix Version/s: 8.0.7
   Resolution: Duplicate

> Upgrade CXF to 3.3.10 / 3.4.3 in TomEE
> --
>
> Key: TOMEE-2996
> URL: https://issues.apache.org/jira/browse/TOMEE-2996
> Project: TomEE
>  Issue Type: Dependency upgrade
>  Components: TomEE Core Server
>Affects Versions: 8.0.6
>Reporter: Nikhil
>Priority: Major
> Fix For: 8.0.7
>
>
> Apache Tomee version 8.0.6 contains vulnerable version of cxf libraries (I.e. 
> *cxf-core-3.3.8.jar*).
>  
> _See Apache CXF - *CVE-2021-22696* for more details._
>  
> h1. Vulnerability Details
> h2. CVE-2021-22696
> *Vulnerability Published:* 2021-04-02 06:15 EDT
> *Vulnerability Updated:* 2021-04-02 14:15 EDT
> *CVSS Score:* (under review, not scored yet - updates will be reported in 
> issue comments)
> *Summary*: CXF supports (via JwtRequestCodeFilter) passing OAuth 2 parameters 
> via a JWT token as opposed to query parameters (see: The OAuth 2.0 
> Authorization Framework: JWT Secured Authorization Request (JAR)). Instead of 
> sending a JWT token as a "request" parameter, the spec also supports 
> specifying a URI from which to retrieve a JWT token from via the 
> "request_uri" parameter. CXF was not validating the "request_uri" parameter 
> (apart from ensuring it uses "https) and was making a REST request to the 
> parameter in the request to retrieve a token. This means that CXF was 
> vulnerable to DDos attacks on the authorization server, as specified in 
> section 10.4.1 of the spec. This issue affects Apache CXF versions prior to 
> 3.4.3; Apache CXF versions prior to 3.3.10.
> *Solution*: N/A
> *Workaround*: N/A
> h2. BDSA-2021-0853
> *Affected Component(s):* Apache CXF
> *Vulnerability Published:* 2021-04-02 11:35 EDT
> *Vulnerability Updated:* 2021-04-02 11:35 EDT
> *CVSS Score:* 6.5 (overall), {color:#FF}7.5{color} (base)
> *Summary*: Apache CXF is vulnerable to distributed denial-of-service (DDoS) 
> via passing *OAuth 2* parameters via a *JWT* token. An attacker could exploit 
> this in order to cause the authorization server to crash.
> *Solution*: Fixed in 
> [*3.4.3*|https://github.com/apache/cxf/releases/tag/cxf-3.4.3] by 
> [this|https://github.com/apache/cxf/commit/7d5d2c7a019dd1e1d0566daf9f1ed5b7b0dd66b7]
>  and 
> [this|https://github.com/apache/cxf/commit/aee3bf291a7387cc492aa0dbdb0fb2af96687994]
>  commit. Fixed in 
> [*3.3.10*|https://github.com/apache/cxf/releases/tag/cxf-3.3.10] by 
> [this|https://github.com/apache/cxf/commit/69953c8320629d9e44bee3419fb7b634d04a43da]
>  and 
> [this|https://github.com/apache/cxf/commit/10cb20adba95dad3dd37317059a9230e155401ca]
>  commit.
> The latest stable releases are available 
> [here|https://github.com/apache/cxf/releases].
> *Workaround*: N/A
>  



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

[jira] [Commented] (TOMEE-2996) Upgrade CXF to 3.3.10 / 3.4.3 in TomEE

2021-04-07 Thread Richard Zowalla (Jira) 


[ 
https://issues.apache.org/jira/browse/TOMEE-2996?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17316125#comment-17316125
 ] 

Richard Zowalla commented on TOMEE-2996:


Thanks for reporting it.

This is a duplicate of https://issues.apache.org/jira/browse/TOMEE-2987 - it 
was fixed with [https://github.com/apache/tomee/pull/777] 

> Upgrade CXF to 3.3.10 / 3.4.3 in TomEE
> --
>
> Key: TOMEE-2996
> URL: https://issues.apache.org/jira/browse/TOMEE-2996
> Project: TomEE
>  Issue Type: Dependency upgrade
>  Components: TomEE Core Server
>Affects Versions: 8.0.6
>Reporter: Nikhil
>Priority: Major
>
> Apache Tomee version 8.0.6 contains vulnerable version of cxf libraries (I.e. 
> *cxf-core-3.3.8.jar*).
>  
> _See Apache CXF - *CVE-2021-22696* for more details._
>  
> h1. Vulnerability Details
> h2. CVE-2021-22696
> *Vulnerability Published:* 2021-04-02 06:15 EDT
> *Vulnerability Updated:* 2021-04-02 14:15 EDT
> *CVSS Score:* (under review, not scored yet - updates will be reported in 
> issue comments)
> *Summary*: CXF supports (via JwtRequestCodeFilter) passing OAuth 2 parameters 
> via a JWT token as opposed to query parameters (see: The OAuth 2.0 
> Authorization Framework: JWT Secured Authorization Request (JAR)). Instead of 
> sending a JWT token as a "request" parameter, the spec also supports 
> specifying a URI from which to retrieve a JWT token from via the 
> "request_uri" parameter. CXF was not validating the "request_uri" parameter 
> (apart from ensuring it uses "https) and was making a REST request to the 
> parameter in the request to retrieve a token. This means that CXF was 
> vulnerable to DDos attacks on the authorization server, as specified in 
> section 10.4.1 of the spec. This issue affects Apache CXF versions prior to 
> 3.4.3; Apache CXF versions prior to 3.3.10.
> *Solution*: N/A
> *Workaround*: N/A
> h2. BDSA-2021-0853
> *Affected Component(s):* Apache CXF
> *Vulnerability Published:* 2021-04-02 11:35 EDT
> *Vulnerability Updated:* 2021-04-02 11:35 EDT
> *CVSS Score:* 6.5 (overall), {color:#FF}7.5{color} (base)
> *Summary*: Apache CXF is vulnerable to distributed denial-of-service (DDoS) 
> via passing *OAuth 2* parameters via a *JWT* token. An attacker could exploit 
> this in order to cause the authorization server to crash.
> *Solution*: Fixed in 
> [*3.4.3*|https://github.com/apache/cxf/releases/tag/cxf-3.4.3] by 
> [this|https://github.com/apache/cxf/commit/7d5d2c7a019dd1e1d0566daf9f1ed5b7b0dd66b7]
>  and 
> [this|https://github.com/apache/cxf/commit/aee3bf291a7387cc492aa0dbdb0fb2af96687994]
>  commit. Fixed in 
> [*3.3.10*|https://github.com/apache/cxf/releases/tag/cxf-3.3.10] by 
> [this|https://github.com/apache/cxf/commit/69953c8320629d9e44bee3419fb7b634d04a43da]
>  and 
> [this|https://github.com/apache/cxf/commit/10cb20adba95dad3dd37317059a9230e155401ca]
>  commit.
> The latest stable releases are available 
> [here|https://github.com/apache/cxf/releases].
> *Workaround*: N/A
>  



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

[jira] [Created] (TOMEE-2997) Update OpenSAML to V3.4.6 or later

2021-04-07 Thread Nikhil (Jira) 
Nikhil created TOMEE-2997:
-

 Summary: Update OpenSAML to V3.4.6 or later
 Key: TOMEE-2997
 URL: https://issues.apache.org/jira/browse/TOMEE-2997
 Project: TomEE
  Issue Type: Dependency upgrade
  Components: TomEE Core Server
Affects Versions: 8.0.6
Reporter: Nikhil


TomEE latest available version 8.0.6 has the opensaml component version 3.3.1 
which is vulnerable to security issues mentioned below -

 
h1. Vulnerability Details
h2. CVE-2020-27978

*Vulnerability Published:* 2020-10-28 11:15 EDT
*Vulnerability Updated:* 2020-10-28 12:26 EDT
*CVSS Score:* (under review, not scored yet - updates will be reported in issue 
comments)

*Summary*: Shibboleth Identify Provider 3.x before 3.4.6 has a denial of 
service flaw. A remote unauthenticated attacker can cause a login flow to 
trigger Java heap exhaustion due to the creation of objects in the Java Servlet 
container session.
h2. BDSA-2019-4785

*Affected Component(s):* OpenSAML 2.0
*Vulnerability Published:* 2020-10-29 11:37 EDT
*Vulnerability Updated:* 2020-10-29 11:37 EDT
*CVSS Score:* 6.5 (overall), {color:#FF}7.5{color} (base)

*Summary*: Shibboleth Identity Provider is vulnerable to denial-of-service 
(DoS) due to improper processing of authentication webflows. An attacker could 
exploit this vulnerability by supplying a system with maliciously crafted 
requests.



 

The issue is fixed in version 3.4.6 or later



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

[jira] [Created] (TOMEE-2996) Upgrade CXF to 3.3.10 / 3.4.3 in TomEE

2021-04-07 Thread Nikhil (Jira) 
Nikhil created TOMEE-2996:
-

 Summary: Upgrade CXF to 3.3.10 / 3.4.3 in TomEE
 Key: TOMEE-2996
 URL: https://issues.apache.org/jira/browse/TOMEE-2996
 Project: TomEE
  Issue Type: Dependency upgrade
  Components: TomEE Core Server
Affects Versions: 8.0.6
Reporter: Nikhil


Apache Tomee version 8.0.6 contains vulnerable version of cxf libraries (I.e. 
*cxf-core-3.3.8.jar*).

 

_See Apache CXF - *CVE-2021-22696* for more details._

 
h1. Vulnerability Details
h2. CVE-2021-22696

*Vulnerability Published:* 2021-04-02 06:15 EDT
*Vulnerability Updated:* 2021-04-02 14:15 EDT
*CVSS Score:* (under review, not scored yet - updates will be reported in issue 
comments)

*Summary*: CXF supports (via JwtRequestCodeFilter) passing OAuth 2 parameters 
via a JWT token as opposed to query parameters (see: The OAuth 2.0 
Authorization Framework: JWT Secured Authorization Request (JAR)). Instead of 
sending a JWT token as a "request" parameter, the spec also supports specifying 
a URI from which to retrieve a JWT token from via the "request_uri" parameter. 
CXF was not validating the "request_uri" parameter (apart from ensuring it uses 
"https) and was making a REST request to the parameter in the request to 
retrieve a token. This means that CXF was vulnerable to DDos attacks on the 
authorization server, as specified in section 10.4.1 of the spec. This issue 
affects Apache CXF versions prior to 3.4.3; Apache CXF versions prior to 3.3.10.

*Solution*: N/A

*Workaround*: N/A
h2. BDSA-2021-0853

*Affected Component(s):* Apache CXF
*Vulnerability Published:* 2021-04-02 11:35 EDT
*Vulnerability Updated:* 2021-04-02 11:35 EDT
*CVSS Score:* 6.5 (overall), {color:#FF}7.5{color} (base)

*Summary*: Apache CXF is vulnerable to distributed denial-of-service (DDoS) via 
passing *OAuth 2* parameters via a *JWT* token. An attacker could exploit this 
in order to cause the authorization server to crash.

*Solution*: Fixed in 
[*3.4.3*|https://github.com/apache/cxf/releases/tag/cxf-3.4.3] by 
[this|https://github.com/apache/cxf/commit/7d5d2c7a019dd1e1d0566daf9f1ed5b7b0dd66b7]
 and 
[this|https://github.com/apache/cxf/commit/aee3bf291a7387cc492aa0dbdb0fb2af96687994]
 commit. Fixed in 
[*3.3.10*|https://github.com/apache/cxf/releases/tag/cxf-3.3.10] by 
[this|https://github.com/apache/cxf/commit/69953c8320629d9e44bee3419fb7b634d04a43da]
 and 
[this|https://github.com/apache/cxf/commit/10cb20adba95dad3dd37317059a9230e155401ca]
 commit.

The latest stable releases are available 
[here|https://github.com/apache/cxf/releases].

*Workaround*: N/A

 



--
This message was sent by Atlassian Jira
(v8.3.4#803005)