[jira] [Commented] (CXF-8776) Version 3.5.4 contains security vulnerable woodstox version
[ https://issues.apache.org/jira/browse/CXF-8776?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17624541#comment-17624541 ] Colm O hEigeartaigh commented on CXF-8776: -- We normally release every 2 months, so mid-December. > Version 3.5.4 contains security vulnerable woodstox version > --- > > Key: CXF-8776 > URL: https://issues.apache.org/jira/browse/CXF-8776 > Project: CXF > Issue Type: Bug > Components: JAX-RS >Affects Versions: 3.5.4 >Reporter: Shalom Yaish >Assignee: Colm O hEigeartaigh >Priority: Major > Fix For: 3.5.5 > > > Version 3.5.4 contains the security vulnerable woodstox-core- 6.2.8 > containing this CVE: > CVE-2022-40151 - CVE-2022-40156 > [https://www.mend.io/vulnerability-database/CVE-2022-40151] > The fix existed at woodstox-core-6.4.0 > > Any chance this will be released quickly ? -- This message was sent by Atlassian Jira (v8.20.10#820010)
[jira] [Commented] (CXF-8776) Version 3.5.4 contains security vulnerable woodstox version
[ https://issues.apache.org/jira/browse/CXF-8776?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17624502#comment-17624502 ] Shalom Yaish commented on CXF-8776: --- Any estimation when the next release 3.5.X will publish? Thank you. > Version 3.5.4 contains security vulnerable woodstox version > --- > > Key: CXF-8776 > URL: https://issues.apache.org/jira/browse/CXF-8776 > Project: CXF > Issue Type: Bug > Components: JAX-RS >Affects Versions: 3.5.4 >Reporter: Shalom Yaish >Assignee: Colm O hEigeartaigh >Priority: Major > Fix For: 3.5.5 > > > Version 3.5.4 contains the security vulnerable woodstox-core- 6.2.8 > containing this CVE: > CVE-2022-40151 - CVE-2022-40156 > [https://www.mend.io/vulnerability-database/CVE-2022-40151] > The fix existed at woodstox-core-6.4.0 > > Any chance this will be released quickly ? -- This message was sent by Atlassian Jira (v8.20.10#820010)
[jira] [Commented] (CXF-8776) Version 3.5.4 contains security vulnerable woodstox version
[ https://issues.apache.org/jira/browse/CXF-8776?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17624424#comment-17624424 ] Colm O hEigeartaigh commented on CXF-8776: -- We have already updated to Woodstox 6.4.0 - [https://github.com/apache/cxf/commit/a615cc34ee974469e94c8a0086ec2ed0c84991fa] According to [https://github.com/advisories/GHSA-3f7h-mf4q-vrm4,] it only impacts DTD parsing, which we don't do in CXF. Colm. > Version 3.5.4 contains security vulnerable woodstox version > --- > > Key: CXF-8776 > URL: https://issues.apache.org/jira/browse/CXF-8776 > Project: CXF > Issue Type: Bug > Components: JAX-RS >Affects Versions: 3.5.4 >Reporter: Shalom Yaish >Priority: Major > > Version 3.5.4 contains the security vulnerable woodstox-core- 6.2.8 > containing this CVE: > CVE-2022-40151 - CVE-2022-40156 > [https://www.mend.io/vulnerability-database/CVE-2022-40151] > The fix existed at woodstox-core-6.4.0 > > Any chance this will be released quickly ? -- This message was sent by Atlassian Jira (v8.20.10#820010)
