Hi Dave,
here a few answers.
Re 1: That's correct, the latest released OpenCMIS version is 1.1.
Re 2: Yes and no. Apache CXF is only needed if you want to support the
Webservices binding (which is rather likely for a CMIS server). It is
possible to drop in a newer Apache CXF version, though.
Re 3: There is an unreleased version with updated dependencies in the
Apache Chemistry SVN trunk. There were talks about a new (and final)
release, but there is nothing scheduled at this point.
- Florian
Am 04.02.2021 20:52 schrieb David Radio:
Hello!
Thank you in advance for your time and attention to my questions.
1. Is it true that the latest release of OpenCMIS Server is version
1.1?
2. Is it acceptable to say OpenCMIS 1.1 is dependent on Apache CXF
3.1.2 which is vulnerable to CVE-2019-12419?
3. Is there a newer release of OpenCMIS Server on the horizon with
updated dependencies?
Thank You!
Dave
