Upgrade CXF to 3.5.5 to address CVE-2022-46363

[stephen-crawford]

Description

[Describe what this change achieves]
Upgrade CXF to 3.5.5 to address CVE-2022-46363

Check List

• New functionality includes testing
• New functionality has been documented
• Commits are signed per the DCO using --signoff

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.
For more information on following Developer Certificate of Origin and signing off your commits, please check here.

[codecov-commenter]

Codecov Report

Merging #2350 (38bc2f9) into main (cc45b04) will decrease coverage by 0.08%.
The diff coverage is n/a.

@@             Coverage Diff              @@
##               main    #2350      +/-   ##
============================================
- Coverage     61.17%   61.09%   -0.09%     
+ Complexity     3274     3272       -2     
============================================
  Files           260      260              
  Lines         18369    18369              
  Branches       3251     3251              
============================================
- Hits          11238    11223      -15     
- Misses         5544     5559      +15     
  Partials       1587     1587              

Impacted Files	Coverage Δ
...t/keybyoidc/AuthenticatorUnavailableException.java	0.00% <0.00%> (-20.00%)	⬇️
.../auth/http/jwt/keybyoidc/SelfRefreshingKeySet.java	59.85% <0.00%> (-8.46%)	⬇️
...ic/auth/http/jwt/AbstractHTTPJwtAuthenticator.java	55.81% <0.00%> (-3.49%)	⬇️
.../dlic/auth/ldap2/LDAPConnectionFactoryFactory.java	57.46% <0.00%> (-1.50%)	⬇️
...ecurity/configuration/ConfigurationRepository.java	74.31% <0.00%> (+2.18%)	⬆️

Help us with your feedback. Take ten seconds to tell us how you rate us. Have a feature suggestion? Share it here.

[ulir]

Hi,
quick question: this ticket has the backport 2.4 label - does this mean there's going to be a 2.4.z release containing the fix?
Couldn't sort this out reading https://opensearch.org/releases.html - from what I read there, there's not going to be any 2.4.z releases as soon as 2.5.0 is out?
Thanks for a quick clarification!
-Uli

[stephen-crawford]

Hi @ulir,

You are correct in your understanding of the backporting structure. In short, we backport fixes to the latest version of all supported majors versions. So since main tracks for the next major (3.0.0), we also backport to 2.4 and 1.3 for any potential patch releases (which would be semantically versioned as 2.4.x or 1.3.x). Then because we also want to include any changes in an upcoming version of the supported majors which are still under development, we want to backport to 2.x as well for a 2.5 version. Because we are never going to have a 1.4, backporting to 1.x is not strictly necessary but you may see instances where changes are also backported to this branch as well.