Apache CXF 3.1.11 released

Apache CXF 3.1.11 (and 3.0.13) has been released. This release fixes a large number of bugs (there are over a 100 issues fixed in the CXF JIRA for this release). From a security POV, here are some of the more notable bug fixes and changes:

• CXF-7315 - Abstract the STS client token caching behaviour to allow the user to plug in a custom implementation
• CXF-7296 - Add support to enable revocation for TLS via configuration (see here). 
• CXF-7314 - Custom BinarySecurityTokens are not used to set up the security context
• CXF-4692 - Allow customization of Request Security Token Response
• CXF-7252 - TLSParameterJaxBUtils.getTrustManagers getting password from wrong system property

In addition, two new security advisories have been issued for bugs fixed in this release:

• CVE-2017-5653 - Apache CXF JAX-RS XML Security streaming clients do not validate that the service response was signed or encrypted.
• CVE-2017-5656 - Apache CXF's STSClient uses a flawed way of caching tokens that are associated with delegation tokens.

Please update to the latest releases if you are affected by either of these issues.