On Mon, Sep 18, 2023 at 8:50 PM Julian Reschke <julian.resc...@gmx.de> wrote: > > To whom it may concern... > > Jackrabbit's RMI support has been essentially unmaintained for half a > decade now, and also does not support JCR 2.0. > > We recently had to go into emergence mode due to vulnerabilities of > components used by us when accessed over RMI (see > https://nvd.nist.gov/vuln/detail/CVE-2023-37895). > > In response to that, we have changed the default settings in our server > and standalone bundles (https://issues.apache.org/jira/browse/JCR-4960), > and have removed the use of the vulnerable component > (https://issues.apache.org/jira/browse/JCR-4949). > > As next steps, I'd like to first formally deprecate jackrabbit-jcr-rmi > (https://issues.apache.org/jira/browse/JCR-4973), and then later remove > it altogether (https://issues.apache.org/jira/browse/JCR-4972). The > deprecation would get backported to the stable maintenance branch > (2.20.x), while the removal would only happen in the unstable branch for > now.
+1 on both deprecating jackrabbit-jcr-rmi now and removing it later. Thanks, Woonsan > > Feedback appreciated (eiher here or in the tickets). > > Best regards, Julian > >