rzo1 opened a new pull request, #942:
URL: https://github.com/apache/tomee/pull/942
# What does this PR do?
During the CXF upgrade to 3.4.8 and porting the method signature changes of
CXF-8478 and CXF-8688 to our CXF patch sources, I took some time to check the
**diffs** between ou
Hi all,
I think, that we are soon in a good state to do a 8.0.13.
However, there are some open points for which I want to get the
community's opinion.
# (1): CVE-2022-42003 (jackson-databind)
Were is one CVE related to jackson-databind:
https://nvd.nist.gov/vuln/detail/CVE-2022-42003 (before 2
rmannibucau commented on PR #942:
URL: https://github.com/apache/tomee/pull/942#issuecomment-1272487866
Hi
Cxf just published a 4.0.0-SNAPSHOT targetting jakarta, can be worth a try
to drop all the fork at once?
--
This is an automated message from the Apache Git Service.
To respon
TomEE 8.0.12 is already affected by these 2 CVE, right?
i am unsure in terms of corporate image.
no-shipping and waiting seems a bit hard on clients who would need to have
tech-watch and/or security teams to update the jars by themselves in
production.
it would be great to provide counter mesures
rzo1 commented on PR #942:
URL: https://github.com/apache/tomee/pull/942#issuecomment-1272508339
Hi @rmannibucau
We are indeed discussing CXF 4 for TomEE 9.x / 10.x on the list:
https://lists.apache.org/thread/o21s1gk07m3khyx5nmyxbx7xforxknro
For 8.x, it could be worth to clea
> TomEE 8.0.12 is already affected by these 2 CVE, right?
Yes (+ some others as discussed in the 'Cut a 8.0.13' thread).
Gruß
Richard
Am Sonntag, dem 09.10.2022 um 10:59 +0200 schrieb Swell:
> TomEE 8.0.12 is already affected by these 2 CVE, right?
>
> i am unsure in terms of corporate image.
>
Hello,
Regarding # (1): CVE-2022-42003 (jackson-databind), given that the
only reason for having Jackson in TomEE is because of embedded TomEE;
so the discussion here
https://lists.apache.org/thread/ttmdc4l9z9oz9lqw3cd22sjdz451dh25 to
replace Jackson by the Apache Johnzon (which is already part of
