[jira] [Commented] (TOMEE-2737) Update some third parties because of CVEs

Jonathan Gallimore (Jira) Wed, 13 Nov 2019 04:24:55 -0800


    [ 
https://issues.apache.org/jira/browse/TOMEE-2737?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16973303#comment-16973303
 ]


Jonathan Gallimore commented on TOMEE-2737:
-------------------------------------------

Thanks for filing this. These have already been done:

 

Update to Jackson Databind 2.10.0: 
[https://github.com/apache/tomee/commit/5e38138463f65146c4087da8085c8dcd93079ef1]

TOMEE-2725 update beanutils to 1.9.4: 
[https://github.com/apache/tomee/commit/0e433e9e565dac45c2c04368f8da6f1e827db295]

TOMEE-2726 update Xmlsec to 2.1.4: 
[https://github.com/apache/tomee/commit/e3b05ddf8e4e06286f45a936474fee4eee6dcc99]

 

> Update some third parties because of CVEs
> -----------------------------------------
>
>                 Key: TOMEE-2737
>                 URL: https://issues.apache.org/jira/browse/TOMEE-2737
>             Project: TomEE
>          Issue Type: Improvement
>          Components: TomEE Core Server
>    Affects Versions: 8.0.0-Final
>            Reporter: François Courtault
>            Priority: Major
>
> Hello,
> There are several CVEs linked to some third parties embedded like jackson and 
> xmlsec (santuario).
> Could you update those third parties ?
> jackson-databind from 2.9.9.3 to 2.9.10 at least--
> xmlsec from 2.1.2 to 2.1.4 at least
> commons-beanutils from 1.9.3 to 1.9.4 (don't know if the latest version fixes 
> any CVE)
> ...
> Best Regards.
>  



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

[jira] [Commented] (TOMEE-2737) Update some third parties because of CVEs

Reply via email to