Hi Alexandre The Tomcat version for 8.0.6 will be 9.0.41, and I am cutting the release now. This will include the fix for CVE-2021-24122, announced on Tomcat's mailing list today.
Kind Regards Jon On Thu, Jan 14, 2021 at 2:26 PM Alex The Rocker <[email protected]> wrote: > yes, for example CVE-2021-24122, for which fix exists in Tomcat 9.0.40 > / 8.5.60 / etc. > I hope this will be at least Tomcat's version embedded in upcoming TomEE > 8.0.6 > > Kind regards, > Alexandre > > Le mer. 13 janv. 2021 à 12:53, Jonathan Gallimore > <[email protected]> a écrit : > > > > Yes. Is there a specific concern you have? > > > > On Wed, Jan 13, 2021 at 10:40 AM Alex The Rocker <[email protected]> > > wrote: > > > > > Hello Jon, > > > > > > Would you please make sure that this 8.0.6 TomEE release will include > > > latest CVEs fixes (from TomEE, ActiveMQ, etc) ? > > > > > > Kind regards; > > > Alexandre > > > > > > Le ven. 8 janv. 2021 à 14:15, Jonathan Gallimore > > > <[email protected]> a écrit : > > > > > > > > Hi All, > > > > > > > > Any objections if I kick off a 8.0.6 release? I think there are some > > > > dependency updates that it would be useful to get included > (specifically > > > > Tomcat), and also there's a regression with using a non-transactional > > > > ActiveMQ connection factory in a transactional method that I have > fixed > > > as > > > > well. > > > > > > > > Thanks > > > > > > > > Jon > > > >
