[jira] [Commented] (CXF-8687) Version 3.4.6 contains vulnerable spring version
[ https://issues.apache.org/jira/browse/CXF-8687?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17520945#comment-17520945 ] Gary D. Gregory commented on CXF-8687: -- [~coheigea] Thank you. > Version 3.4.6 contains vulnerable spring version > > > Key: CXF-8687 > URL: https://issues.apache.org/jira/browse/CXF-8687 > Project: CXF > Issue Type: Bug > Components: Core >Affects Versions: 3.4.6 >Reporter: Mathieu Veurman >Priority: Critical > > Version 3.4.6 contains the vulnerable spring core version 5.2.19, containing > this CVE: > CVE-2022-22965: Spring Framework RCE via Data Binding on JDK 9+ > > I do see this commit where the proper version of spring is referenced: > [https://github.com/apache/cxf/commit/0f8b5a2c2a66ab62c931096aaf512390d58fef3d] > > Any chance this will be released quickly as 3.4.7? -- This message was sent by Atlassian Jira (v8.20.1#820001)
[jira] [Commented] (CXF-8687) Version 3.4.6 contains vulnerable spring version
[ https://issues.apache.org/jira/browse/CXF-8687?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17520933#comment-17520933 ] Colm O hEigeartaigh commented on CXF-8687: -- [https://repo1.maven.org/maven2/org/apache/cxf/apache-cxf/3.4.7/] > Version 3.4.6 contains vulnerable spring version > > > Key: CXF-8687 > URL: https://issues.apache.org/jira/browse/CXF-8687 > Project: CXF > Issue Type: Bug > Components: Core >Affects Versions: 3.4.6 >Reporter: Mathieu Veurman >Priority: Critical > > Version 3.4.6 contains the vulnerable spring core version 5.2.19, containing > this CVE: > CVE-2022-22965: Spring Framework RCE via Data Binding on JDK 9+ > > I do see this commit where the proper version of spring is referenced: > [https://github.com/apache/cxf/commit/0f8b5a2c2a66ab62c931096aaf512390d58fef3d] > > Any chance this will be released quickly as 3.4.7? -- This message was sent by Atlassian Jira (v8.20.1#820001)
[jira] [Commented] (CXF-8687) Version 3.4.6 contains vulnerable spring version
[ https://issues.apache.org/jira/browse/CXF-8687?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17519130#comment-17519130 ] Gary D. Gregory commented on CXF-8687: -- Hi [~reta] I only need to track 3.4.x ;) > Version 3.4.6 contains vulnerable spring version > > > Key: CXF-8687 > URL: https://issues.apache.org/jira/browse/CXF-8687 > Project: CXF > Issue Type: Bug > Components: Core >Affects Versions: 3.4.6 >Reporter: Mathieu Veurman >Priority: Critical > > Version 3.4.6 contains the vulnerable spring core version 5.2.19, containing > this CVE: > CVE-2022-22965: Spring Framework RCE via Data Binding on JDK 9+ > > I do see this commit where the proper version of spring is referenced: > [https://github.com/apache/cxf/commit/0f8b5a2c2a66ab62c931096aaf512390d58fef3d] > > Any chance this will be released quickly as 3.4.7? -- This message was sent by Atlassian Jira (v8.20.1#820001)
[jira] [Commented] (CXF-8687) Version 3.4.6 contains vulnerable spring version
[ https://issues.apache.org/jira/browse/CXF-8687?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17519129#comment-17519129 ] Andriy Redko commented on CXF-8687: --- [~ggregory] for 3.5.1 - it is different Spring Framework version, see please [https://github.com/apache/cxf/commit/4d0f11df86ab9bf4d9c87505f811a06989ce9cfa,] if you want to track that separately, creating another Jira issue would be better, thank you. > Version 3.4.6 contains vulnerable spring version > > > Key: CXF-8687 > URL: https://issues.apache.org/jira/browse/CXF-8687 > Project: CXF > Issue Type: Bug > Components: Core >Affects Versions: 3.4.6 >Reporter: Mathieu Veurman >Priority: Critical > > Version 3.4.6 contains the vulnerable spring core version 5.2.19, containing > this CVE: > CVE-2022-22965: Spring Framework RCE via Data Binding on JDK 9+ > > I do see this commit where the proper version of spring is referenced: > [https://github.com/apache/cxf/commit/0f8b5a2c2a66ab62c931096aaf512390d58fef3d] > > Any chance this will be released quickly as 3.4.7? -- This message was sent by Atlassian Jira (v8.20.1#820001)
[jira] [Commented] (CXF-8687) Version 3.4.6 contains vulnerable spring version
[ https://issues.apache.org/jira/browse/CXF-8687?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17519120#comment-17519120 ] Gary D. Gregory commented on CXF-8687: -- Hi All: I cannot edit "Affects Version/s:", it should include 3.5.1. > Version 3.4.6 contains vulnerable spring version > > > Key: CXF-8687 > URL: https://issues.apache.org/jira/browse/CXF-8687 > Project: CXF > Issue Type: Bug > Components: Core >Affects Versions: 3.4.6 >Reporter: Mathieu Veurman >Priority: Critical > > Version 3.4.6 contains the vulnerable spring core version 5.2.19, containing > this CVE: > CVE-2022-22965: Spring Framework RCE via Data Binding on JDK 9+ > > I do see this commit where the proper version of spring is referenced: > [https://github.com/apache/cxf/commit/0f8b5a2c2a66ab62c931096aaf512390d58fef3d] > > Any chance this will be released quickly as 3.4.7? -- This message was sent by Atlassian Jira (v8.20.1#820001)
[jira] [Commented] (CXF-8687) Version 3.4.6 contains vulnerable spring version
[ https://issues.apache.org/jira/browse/CXF-8687?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17518241#comment-17518241 ] Colm O hEigeartaigh commented on CXF-8687: -- [~ggregory] Mailing list thread - [https://lists.apache.org/thread/cs6l6f47sgxp73twb33wlvzrk1sqbx32] > Version 3.4.6 contains vulnerable spring version > > > Key: CXF-8687 > URL: https://issues.apache.org/jira/browse/CXF-8687 > Project: CXF > Issue Type: Bug > Components: Core >Affects Versions: 3.4.6 >Reporter: Mathieu Veurman >Priority: Critical > > Version 3.4.6 contains the vulnerable spring core version 5.2.19, containing > this CVE: > CVE-2022-22965: Spring Framework RCE via Data Binding on JDK 9+ > > I do see this commit where the proper version of spring is referenced: > [https://github.com/apache/cxf/commit/0f8b5a2c2a66ab62c931096aaf512390d58fef3d] > > Any chance this will be released quickly as 3.4.7? -- This message was sent by Atlassian Jira (v8.20.1#820001)
[jira] [Commented] (CXF-8687) Version 3.4.6 contains vulnerable spring version
[ https://issues.apache.org/jira/browse/CXF-8687?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17518196#comment-17518196 ] Colm O hEigeartaigh commented on CXF-8687: -- Yes, we'll aim to get a release out next week. > Version 3.4.6 contains vulnerable spring version > > > Key: CXF-8687 > URL: https://issues.apache.org/jira/browse/CXF-8687 > Project: CXF > Issue Type: Bug > Components: Core >Affects Versions: 3.4.6 >Reporter: Mathieu Veurman >Priority: Critical > > Version 3.4.6 contains the vulnerable spring core version 5.2.19, containing > this CVE: > CVE-2022-22965: Spring Framework RCE via Data Binding on JDK 9+ > > I do see this commit where the proper version of spring is referenced: > [https://github.com/apache/cxf/commit/0f8b5a2c2a66ab62c931096aaf512390d58fef3d] > > Any chance this will be released quickly as 3.4.7? -- This message was sent by Atlassian Jira (v8.20.1#820001)
[jira] [Commented] (CXF-8687) Version 3.4.6 contains vulnerable spring version
[ https://issues.apache.org/jira/browse/CXF-8687?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17518184#comment-17518184 ] Mathieu Veurman commented on CXF-8687: -- Any news on this > Version 3.4.6 contains vulnerable spring version > > > Key: CXF-8687 > URL: https://issues.apache.org/jira/browse/CXF-8687 > Project: CXF > Issue Type: Bug > Components: Core >Affects Versions: 3.4.6 >Reporter: Mathieu Veurman >Priority: Critical > > Version 3.4.6 contains the vulnerable spring core version 5.2.19, containing > this CVE: > CVE-2022-22965: Spring Framework RCE via Data Binding on JDK 9+ > > I do see this commit where the proper version of spring is referenced: > [https://github.com/apache/cxf/commit/0f8b5a2c2a66ab62c931096aaf512390d58fef3d] > > Any chance this will be released quickly as 3.4.7? -- This message was sent by Atlassian Jira (v8.20.1#820001)
[jira] [Commented] (CXF-8687) Version 3.4.6 contains vulnerable spring version
[ https://issues.apache.org/jira/browse/CXF-8687?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17517421#comment-17517421 ] Gary D. Gregory commented on CXF-8687: -- {quote}Any chance this will be released quickly as 3.4.7? {quote} +1 please > Version 3.4.6 contains vulnerable spring version > > > Key: CXF-8687 > URL: https://issues.apache.org/jira/browse/CXF-8687 > Project: CXF > Issue Type: Bug > Components: Core >Affects Versions: 3.4.6 >Reporter: Mathieu Veurman >Priority: Critical > > Version 3.4.6 contains the vulnerable spring core version 5.2.19, containing > this CVE: > CVE-2022-22965: Spring Framework RCE via Data Binding on JDK 9+ > > I do see this commit where the proper version of spring is referenced: > [https://github.com/apache/cxf/commit/0f8b5a2c2a66ab62c931096aaf512390d58fef3d] > > Any chance this will be released quickly as 3.4.7? -- This message was sent by Atlassian Jira (v8.20.1#820001)