[
https://issues.apache.org/jira/browse/TOMEE-2876?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17183350#comment-17183350
]
Jonathan Gallimore commented on TOMEE-2876:
-------------------------------------------
Let's leave this open, because there are some potential options to patch this
that are worth exploring.
With respect to your feedback:
> We are between two chairs here. CXF and TomEE. We decided to go with TomEE 7
>one year ago, when TomEE 8 wasn't stable enough. CXF doesn't want to backport,
>TomEE doesn't want to implement a new API.
JAX-RS is the API, CXF is the implementation. Theoretically, we could change to
something different, but TomEE consciously chooses to use Apache
implementations where possible. Creating a new implementation of JAX-RS from
scratch is likely a very substantial task.
> We have the same issue in our project. In the current stabilizing phase we
> want to avoid implementing new APIs. Updating to TomEE v8 is therefore not an
> option.
You'd be moving to a newer version of the JAX-RS API. The APIs tend to be
backwards compatible (Jakarta EE 9 with the namespace change is an exception).
I wouldn't expect you to run into issues moving from TomEE 7 -> 8. If you tried
it, and did run into issues, we'd be interested to know what those issues are.
> Fix cxf CVE issues
> ------------------
>
> Key: TOMEE-2876
> URL: https://issues.apache.org/jira/browse/TOMEE-2876
> Project: TomEE
> Issue Type: Dependency upgrade
> Components: TomEE Build
> Affects Versions: 7.1.3
> Reporter: Leandro Vale
> Assignee: Jonathan Gallimore
> Priority: Major
>
> The following CVE vulnerabilities have been identified in cxf 3.1.18:
> * CVE-2019-12423
> * CVE-2020-1954
> * CVE-2019-12406
> Please consider upgrading to at least v3.3.6 (latest v3.3.7).
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
