[
https://issues.apache.org/jira/browse/KARAF-7227?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17386063#comment-17386063
]
Jean-Baptiste Onofré commented on KARAF-7227:
---------------------------------------------
I mean they don't come with Karaf itself, but additional features like jms or
pax-jms.
Furthermore, jms/pax-jms uses JMS 1 for instance, not yet 2, and
geronimo_jms_1.1 1.1.1 is the latest available:
[https://repo1.maven.org/maven2/org/apache/geronimo/specs/geronimo-jms_1.1_spec/1.1.1/]
So, finally, CVE-2011-5034 doesn't affect all geronimo artifacts, but mostly
runtime ones (not spec). So, I don't see any issue here with spec bundles.
> Upgrade geronimo artifacts to mitigate CVE-2011-5034
> ----------------------------------------------------
>
> Key: KARAF-7227
> URL: https://issues.apache.org/jira/browse/KARAF-7227
> Project: Karaf
> Issue Type: Task
> Components: karaf
> Affects Versions: 4.3.2
> Reporter: Karthick
> Assignee: Jean-Baptiste Onofré
> Priority: Major
>
> Security scans on Apache Karaf 4.3.2 shows we are impacted with CVE-2011-5034
> on the packed Apache Geronimo version. Karaf must start upgrading Geronimo
> jms* jta* components to versions unaffected by this CVE
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
