chemistry-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Florian Müller (JIRA) <j...@apache.org>
Subject [jira] [Commented] (CMIS-1077) need to update out-of-date dependencies with CVEs
Date Tue, 23 Jul 2019 20:34:00 GMT

    [ https://issues.apache.org/jira/browse/CMIS-1077?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16891362#comment-16891362
] 

Florian Müller commented on CMIS-1077:
--------------------------------------

The JAX-WS changes in the JDK made an update to Java 11 necessary. A bug in OpenJDK 11 forced
the update to Java 12.

If there is a dependency to Java 9, we have to remove it. The generated Jars are supposed
to work with Java 8.


The Apache HttpClient is optional and should not be used. It's there to support old Android
versions, which provided the HttpClient API to applications. An update is not possible because
even minor versions of the Apache HttpClient are not backwards compatible. In other words,
updating the Apache HttpClient version breaks support for older Android devices. Desktop and
server applications should never have used it.

> need to update out-of-date dependencies with CVEs
> -------------------------------------------------
>
>                 Key: CMIS-1077
>                 URL: https://issues.apache.org/jira/browse/CMIS-1077
>             Project: Chemistry
>          Issue Type: Bug
>          Components: opencmis-client, opencmis-client-bindings, opencmis-commons
>    Affects Versions: OpenCMIS 1.1.0
>            Reporter: Andrew Pavlin
>            Priority: Major
>
> The last official build of Chemistry is badly out of date with regard to its dependencies.
Would it be possible to come out with a patch release that brings those dependencies up-to-date?
Specifically, for the sub-parts of Chemistry our project is using, the obsolete dependencies
are:
> Apache Httpcomponents (using 4.2.6, currently 4.5)
> com.squareup.okhttp3 (using 3.4.1, currently 3.13.1)
> Apache CXF (using 3.0.12, currently 3.3.2)
> org.osgi.core (using 5.0.0, currently 6.0.0)



--
This message was sent by Atlassian JIRA
(v7.6.14#76016)

Mime
View raw message