2 Replies Latest reply on Nov 20, 2014 9:06 AM by jessholle

    Upgrading Wildfly 8.1.0 to RestEasy 3.0.9

    jessholle

      RestEasy 3.0.9 has been released to address a security vulnerability (CVE-2014-3490).

       

      The RestEasy download contains a resteasy-jboss-modules-wf8-3.0.9.Final.zip file and instructions to:

       

      "Unzip this file while with the modules/system/layers/base/ directory of the Wildfly distribution"

       

      I looked within this zip, however, and I note that:

      1. It includes numerous jars beyond RestEasy's own jars.
      2. In a number of cases I spot checked, these supporting jar versions were older than the versions currently residing in the locations in question in Wildfly 8.1.0.

       

      Based on #2, I'm rather reluctant to follow the RestEasy 3.0.9 documentation in this regard.

       

      Was this zip possibly meant solely for Wildfly 8.1.0?

       

      What's the correct way to update Wildfly 8.1.0's RestEasy to 3.0.9?

        • 1. Re: Upgrading Wildfly 8.1.0 to RestEasy 3.0.9
          jessholle

          On further examination, it looks like the RestEasy 3.0.9 patch zip for Wildfly is *close* to sensible -- and probably was for Wildfly 8.0.0 rather than 8.1.0.

           

          Taking their patch bundle I find the following modules would be downgrades that do not seem to be justified anywhere:

          • org/bouncycastle
            • 1.50 -> 1.46
          • org/codehaus/jackson
            • 1.9.13 -> 1.9.12

          Assuming these are unintentional downgrades, one could then follow the RestEasy 3.0.9 upgrade instructions for Wildfly except removing these directories from the patch zip.

           

          It would be really nice to get confirmation from the Wildfly or RestEasy community that this is the appropriate solution, though.

          • 2. Re: Upgrading Wildfly 8.1.0 to RestEasy 3.0.9
            jessholle

            Note: to make matters even better RestEasy has an issue in that no one ever bothered to make it support any halfways recent version of mime4j, so we had to patch RestEasy ourselves as well.  This issue has been recognized in their bug database for years, yet left unaddressed.  I have to say that RestEasy has really unimpressed me overall between these issues and the lack of response to them.