Ah I see. I'll aim to get a new WSS4J release out in time for CXF 4.2.3. In
the meantime, you'll have to pin the Neethi version in your environment.

Colm.

On Wed, Jun 10, 2026 at 2:49 PM Bernhard Schuhmann <
[email protected]> wrote:

> Hello Colm,
>
> thanks for the swift response! This change was already made in 4.2.1 if
> I’m not mistaken - but the problem is IMO
> org.apache.wss4j:wss4j-policy:4.0.1, which I think will not change in
> 4.2.2. Need to find how I can try with 4.2.2 but I fear the problem will be
> still in 4.2.2.
>
> At least in our environment Maven down manages neethi to 3.2.1 because of
> wss4j-policy.
>
> Thanks
>
> Bernhard
>
>
> Bernhard Schuhmann ​​​​
> Principal Software Engineer
> |
> Jedox
> *Von: *Colm O hEigeartaigh <[email protected]>
> *Datum: *Mittwoch, 10. Juni 2026 um 15:16
> *An: *Bernhard Schuhmann <[email protected]>
> *Cc: *[email protected] <[email protected]>
> *Betreff: *Re: Apache Neethi 3.2.1 still used in CXF 4.2.1 (and 4.2.2)
>
> Hi Bernhard,
>
> Neethi 3.2.2 should be fixed as part of CXF 4.2.2, which is under vote and
> will be released shortly.
>
>
> https://github.com/apache/cxf/commit/e24d2c4627dcd727e4cbc4f5b6a49c918f4563dc
> <https://urldefense.com/v3/__https://github.com/apache/cxf/commit/e24d2c4627dcd727e4cbc4f5b6a49c918f4563dc__;!!JdBmGB72fGA!gDUU0J5T3ZsslLAVCkff5dWqFs7j8X9pK3CDXTaN8kjzQ3BfWSSbws-0gHy4Syz47KVBkhCBcwiNrKAPYvCYuaEL$>
>
> Colm.
>
> On Wed, Jun 10, 2026 at 2:08 PM Bernhard Schuhmann <
> [email protected]> wrote:
>
> Hello,
>
> noticed that Apache Neethi is still at vulnerable 3.2.1 even though I had
> expected it should be at 3.2.2 in our environment with CXF 4.2.1.
>
> Found the following  chain of dependencies:
> org.apache.cxf:cxf-rt-ws-security:4.2.1/2 depends on
> org.apache.wss4j:wss4j-policy:4.0.1 which still depends on
> org.apache.neethi:neethi:3.2.1
>
> However, org.apache.cxf:cxf-rt-ws-policy:4.2.1/2 for instance depends on
> org.apache.neethi:neethi:3.2.2 as expected.
>
> Not sure if it’s our specific environment or a general problem - any
> additional information I can provide?
>
> I see the vote for 4.2.2 is already open or even closed - is there a
> chance to get this still fixed for 4.2.2 if a general issue or would this
> have to wait until 4.2.3? Would I need to create a ticket for that?
>
> Thanks in advance!
>
> Bernhard
> [image: Jedox Gartner Magic Quadrant Leader]
> <https://www.jedox.com/de/ressourcen/analyst-gartner-magic-quadrant-finanzplanungssoftware/?utm_campaign=Analyst%20Reports&utm_source=signature&utm_medium=email_marketing&utm_content=GartnerMQ2025>
> ​​​​
> Bernhard Schuhmann
> Principal Software Engineer
> Jedox
> Bismarckallee 7a
> 79098
> Freiburg im Breisgau
> Germany
> Jedox GmbH
> Chief Executive Officer (Geschäftsführer): Florian Winterstein
>
> Place of Business: Freiburg i. Br. | Registry Court: Amtsgericht Freiburg | 
> HRB 723467
> ​
> ​​[TM.V06112018]
>
>

Reply via email to