[jira] [Commented] (CXF-9016) Upgrade Spring-Framework to 5.3.34 in Apache-cxf
[
https://issues.apache.org/jira/browse/CXF-9016?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17850982#comment-17850982
]
Nikhil commented on CXF-9016:
-
[~reta] Thanks for the update, could you please provide the fix version in
which the spring has been upgraded for Apache CXF.. this will help us take the
right build for fixing the security vulnerability.
> Upgrade Spring-Framework to 5.3.34 in Apache-cxf
>
>
> Key: CXF-9016
> URL: https://issues.apache.org/jira/browse/CXF-9016
> Project: CXF
> Issue Type: Improvement
>Affects Versions: 3.5.5, 3.5.6, 3.5.7, 3.5.8, 3.6.3
>Reporter: Nikhil
>Priority: Major
>
> We have a high severity security issue with spring-framework ::
> h2. Affected Spring Products and Versions
> Spring Framework
> * 6.1.0 - 6.1.5
> * 6.0.0 - 6.0.18
> * 5.3.0 - 5.3.33
> * Older, unsupported versions are also affected
>
> {*}Summary{*}: Applications that use UriComponentsBuilder in Spring Framework
> to parse an externally provided URL (e.g. through a query parameter) AND
> perform validation checks on the host of the parsed URL may be vulnerable to
> a open redirect [https://cwe.mitre.org/data/definitions/601.html] attack or
> to a SSRF attack if the URL is used after passing validation checks.
> This is the same as CVE-2024-22243
> [https://spring.io/security/cve-2024-22243] , but with different input.
>
> *Note:* This is the same as *CVE-2024-22259* and {*}CVE-2024-22243{*}, but
> with different input.
> –
> All these issues were fixed in Spring-Framework *5.3.34*
>
> *Could you please review and update Spring-Framework as needed in CXF package
> ?*
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
[jira] [Comment Edited] (CXF-9007) NullPointerException in XMLStreamDataWriter.writeNode
[
https://issues.apache.org/jira/browse/CXF-9007?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17850912#comment-17850912
]
Magnus Holm edited comment on CXF-9007 at 5/31/24 9:27 AM:
---
[~reta] Sorry about the delay. Added a test-case for the issue in the original
report here:
https://github.com/magnho/cxf/pull/2/commits/aefcffcb0af236308cda8c2eb4186e15b8192e8d
Copied in a bunch of stuff to make this as similar to our local test-case as
possible. I managed to trigger the error here as well, added the test-output to
the commit as well. It runs successfully 9/10 times (at least), so it's a bit
of a hassle to trigger the failure.
The failure in my previous post seems to be a mistake on my side. Maybe I
managed to mix versions on the classpath or something, it does not fail any
more.
edit: Sorry for not using existing wsdls etc. couldn't get that working.
edit2: Have not been able to trigger failures when running with your branch
change.
was (Author: maghol):
[~reta] Sorry about the delay. Added a test-case for the issue in the original
report here:
https://github.com/magnho/cxf/pull/2/commits/aefcffcb0af236308cda8c2eb4186e15b8192e8d
Copied in a bunch of stuff to make this as similar to our local test-case as
possible. I managed to trigger the error here as well, added the test-output to
the commit as well. It runs successfully 9/10 times (at least), so it's a bit
of a hassle to trigger the failure.
The failure in my previous post seems to be a mistake on my side. Maybe I
managed to mix versions on the classpath or something, it does not fail any
more.
edit: Sorry for not using existing wsdls etc. couldn't get that working.
> NullPointerException in XMLStreamDataWriter.writeNode
> -
>
> Key: CXF-9007
> URL: https://issues.apache.org/jira/browse/CXF-9007
> Project: CXF
> Issue Type: Bug
>Affects Versions: 4.0.3, 4.0.4
>Reporter: Magnus Holm
>Assignee: Andriy Redko
>Priority: Major
> Fix For: 4.1.0, 4.0.5
>
> Attachments: dispatch-impl-npe.txt, interceptor-npe.txt,
> invoke-async-npe.txt, invoke-sync-npe.txt
>
>
> We're encountering sporadic weird {{NullPointerException}} in various of our
> tests using different client configurations with wsdls. It seems to only
> occur right after initialising the client, e.g. only on the first call. I
> suspect it's some kind of race-condition, but I've not been able to create a
> reproducer. I was hoping maybe someone from the project would have insight
> into why this could be happening by looking at the stacktraces.
> The error we're hitting appears to be here:
> {code}
> java.lang.NullPointerException: Cannot invoke
> "org.w3c.dom.Node.getOwnerDocument()" because "nd" is null
> at
> org.apache.cxf.databinding.source.XMLStreamDataWriter.writeNode(XMLStreamDataWriter.java:160)
> ~[cxf-core-4.0.4.jar:4.0.4]
> at
> org.apache.cxf.databinding.source.XMLStreamDataWriter.write(XMLStreamDataWriter.java:101)
> ~[cxf-core-4.0.4.jar:4.0.4]
> at
> org.apache.cxf.databinding.source.XMLStreamDataWriter.write(XMLStreamDataWriter.java:67)
> ~[cxf-core-4.0.4.jar:4.0.4]
> at
> org.apache.cxf.databinding.source.XMLStreamDataWriter.write(XMLStreamDataWriter.java:55)
> ~[cxf-core-4.0.4.jar:4.0.4]
> {code}
> Update: we're using cxf-rt-transports-http-hc5.
> We've had this issue on 4.0.3 and 4.0.4. We might've had it on previous
> versions as well, but I don't have build history going back that far.
> JDK versions: Corretto 17 (17.0.8-amzn), Zulu 17 (17.0.10-zulu) ++
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
[jira] [Commented] (CXF-9016) Upgrade Spring-Framework to 5.3.34 in Apache-cxf
[
https://issues.apache.org/jira/browse/CXF-9016?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17851059#comment-17851059
]
Andriy Redko commented on CXF-9016:
---
[~somasaninikhil] All upcoming releases will be bundled with the latest
versions, I have added a version labels to this issue to help you navigate,
thank you.
> Upgrade Spring-Framework to 5.3.34 in Apache-cxf
>
>
> Key: CXF-9016
> URL: https://issues.apache.org/jira/browse/CXF-9016
> Project: CXF
> Issue Type: Improvement
>Affects Versions: 3.5.5, 3.5.6, 3.5.7, 3.5.8, 3.6.3
>Reporter: Nikhil
>Priority: Major
> Fix For: 3.5.9, 4.1.0, 4.0.5, 3.6.4
>
>
> We have a high severity security issue with spring-framework ::
> h2. Affected Spring Products and Versions
> Spring Framework
> * 6.1.0 - 6.1.5
> * 6.0.0 - 6.0.18
> * 5.3.0 - 5.3.33
> * Older, unsupported versions are also affected
>
> {*}Summary{*}: Applications that use UriComponentsBuilder in Spring Framework
> to parse an externally provided URL (e.g. through a query parameter) AND
> perform validation checks on the host of the parsed URL may be vulnerable to
> a open redirect [https://cwe.mitre.org/data/definitions/601.html] attack or
> to a SSRF attack if the URL is used after passing validation checks.
> This is the same as CVE-2024-22243
> [https://spring.io/security/cve-2024-22243] , but with different input.
>
> *Note:* This is the same as *CVE-2024-22259* and {*}CVE-2024-22243{*}, but
> with different input.
> –
> All these issues were fixed in Spring-Framework *5.3.34*
>
> *Could you please review and update Spring-Framework as needed in CXF package
> ?*
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
[jira] [Updated] (CXF-9016) Upgrade Spring-Framework to 5.3.34 in Apache-cxf
[
https://issues.apache.org/jira/browse/CXF-9016?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Andriy Redko updated CXF-9016:
--
Fix Version/s: 3.5.9
4.1.0
4.0.5
3.6.4
> Upgrade Spring-Framework to 5.3.34 in Apache-cxf
>
>
> Key: CXF-9016
> URL: https://issues.apache.org/jira/browse/CXF-9016
> Project: CXF
> Issue Type: Improvement
>Affects Versions: 3.5.5, 3.5.6, 3.5.7, 3.5.8, 3.6.3
>Reporter: Nikhil
>Priority: Major
> Fix For: 3.5.9, 4.1.0, 4.0.5, 3.6.4
>
>
> We have a high severity security issue with spring-framework ::
> h2. Affected Spring Products and Versions
> Spring Framework
> * 6.1.0 - 6.1.5
> * 6.0.0 - 6.0.18
> * 5.3.0 - 5.3.33
> * Older, unsupported versions are also affected
>
> {*}Summary{*}: Applications that use UriComponentsBuilder in Spring Framework
> to parse an externally provided URL (e.g. through a query parameter) AND
> perform validation checks on the host of the parsed URL may be vulnerable to
> a open redirect [https://cwe.mitre.org/data/definitions/601.html] attack or
> to a SSRF attack if the URL is used after passing validation checks.
> This is the same as CVE-2024-22243
> [https://spring.io/security/cve-2024-22243] , but with different input.
>
> *Note:* This is the same as *CVE-2024-22259* and {*}CVE-2024-22243{*}, but
> with different input.
> –
> All these issues were fixed in Spring-Framework *5.3.34*
>
> *Could you please review and update Spring-Framework as needed in CXF package
> ?*
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
[jira] [Created] (CXF-9025) Increase unit test coverage on org.apache.cxf.catalog
Jamie Mark Goodyear created CXF-9025: Summary: Increase unit test coverage on org.apache.cxf.catalog Key: CXF-9025 URL: https://issues.apache.org/jira/browse/CXF-9025 Project: CXF Issue Type: Test Components: Core Affects Versions: 4.1.0 Reporter: Jamie Mark Goodyear org.apache.cxf.catalog has several classes without unit test coverage. This card & PR intends to improve coverage. IDEA coverage report: org.apache.cxf.catalog: 0% class, 0% Methods, 0% Lines. -- This message was sent by Atlassian Jira (v8.20.10#820010)
[jira] [Updated] (CXF-9025) Increase unit test coverage on org.apache.cxf.catalog
[ https://issues.apache.org/jira/browse/CXF-9025?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Jamie Mark Goodyear updated CXF-9025: - Flags: Patch > Increase unit test coverage on org.apache.cxf.catalog > - > > Key: CXF-9025 > URL: https://issues.apache.org/jira/browse/CXF-9025 > Project: CXF > Issue Type: Test > Components: Core >Affects Versions: 4.1.0 >Reporter: Jamie Mark Goodyear >Priority: Minor > > org.apache.cxf.catalog has several classes without unit test coverage. > This card & PR intends to improve coverage. > IDEA coverage report: > org.apache.cxf.catalog: 0% class, 0% Methods, 0% Lines. -- This message was sent by Atlassian Jira (v8.20.10#820010)
