Hi Alex, https://issues.apache.org/jira/browse/TOMEE-3838 references:
- https://nvd.nist.gov/vuln/detail/CVE-2021-40110 "In Apache James, using Jazzer fuzzer, we identified that an IMAP user can craft IMAP LIST commands to orchestrate a Denial Of Service using a vulnerable Regular expression. This affected Apache James prior to 3.6.1 We recommend upgrading to Apache James 3.6.1 or higher , which enforce the use of RE2J regular expression engine to execute regex in linear time without back-tracking." Geronimo Java Mail uses apache-mime4j-core-0.8.6.jar (from Apache James as shaded dependency). We do not use the Apache James Mail server in the code base. Note, that Apache James provides a lot of different utility libraries: https://james.apache.org/download.cgi This also holds for: - https://nvd.nist.gov/vuln/detail/CVE-2021-38542 - https://nvd.nist.gov/vuln/detail/CVE-2021-40111 - https://nvd.nist.gov/vuln/detail/CVE-2021-40525 I might be wrong, but imho TOMEE-3838 is a false positive. Gruß Richard Am Dienstag, dem 15.02.2022 um 07:46 +0100 schrieb Alex The Rocker: > Hello, > > May I suggest [-1] until TOMEE-3838 is solved (it's a CVE-related > issue, marked as a blocker, CVE's score is High at 75) ? > > Thanks, > Alex > > Le ven. 11 févr. 2022 à 11:12, Zowalla, Richard > <[email protected]> a écrit : > > Hi, > > > > +1 from my side. > > > > I tested the 8.0.10 plus artifact with our fullstack EAR app (jpa, > > jaxrs, jsf). > > > > Thanks, JL for conducting the release. > > > > Gruss > > Richard > > > > > > Am Freitag, dem 11.02.2022 um 09:53 +0100 schrieb Jean-Louis > > Monteiro: > > > Hi All, > > > > > > This is a first attempt at a vote for a release of Apache TomEE > > > 8.0.10 > > > > > > Maven Repo: > > > https://repository.apache.org/content/repositories/orgapachetomee-1193/ > > > > > > Binaries & Source: > > > https://dist.apache.org/repos/dist/dev/tomee/staging_1193-TomEE-8.0.10/ > > > > > > Tags: > > > https://github.com/apache/tomee/releases/tag/tomee-project-8.0.10 > > > > > > Release notes: > > > https://issues.apache.org/jira/secure/ReleaseNote.jspa?projectId=12312320&version=12350706 > > > > > > Here are the releases notes > > > Sub-task > > > > > > - [TOMEE-2117 < > > > https://issues.apache.org/jira/browse/TOMEE-2117>;;] > > > - > > > Rework ProcessObserverMethod integration > > > - [TOMEE-2289 < > > > https://issues.apache.org/jira/browse/TOMEE-2289>;;] > > > - > > > MicroProfile OpenAPI Example > > > - [TOMEE-2349 < > > > https://issues.apache.org/jira/browse/TOMEE-2349>;;] > > > - > > > Ensure each module can generate javadoc jars on release > > > - [TOMEE-2350 < > > > https://issues.apache.org/jira/browse/TOMEE-2350>;;] > > > - > > > Create a list of existing Javadoc using html > > > - [TOMEE-2351 < > > > https://issues.apache.org/jira/browse/TOMEE-2351>;;] > > > - > > > MicroProfile OpenTracing Example for Distributed Microservices > > > - [TOMEE-2358 < > > > https://issues.apache.org/jira/browse/TOMEE-2358>;;] > > > - > > > MicroProfile JWT rest-mp-jwt-claim Example > > > > > > Bug > > > > > > - [TOMEE-2169 < > > > https://issues.apache.org/jira/browse/TOMEE-2169>;;] > > > - > > > Interceptor Bean injection does not work for EJBs > > > - [TOMEE-2270 < > > > https://issues.apache.org/jira/browse/TOMEE-2270>;;] > > > - > > > Java11: Unable to initialize agent with embedded-maven-plugin > > > - [TOMEE-2403 < > > > https://issues.apache.org/jira/browse/TOMEE-2403>;;] > > > - > > > AutoConnectionTrackerTest fails randomly > > > - [TOMEE-2427 < > > > https://issues.apache.org/jira/browse/TOMEE-2427>;;] > > > - > > > Align text above the pictures > > > - [TOMEE-2800 < > > > https://issues.apache.org/jira/browse/TOMEE-2800>;;] > > > - > > > Issue : Unable to run EJB test cases for upgradation in > > > current > > > project > > > with Java 1.8 and WebLogic version 12.2.1.4 along with > > > openejb.cxf.version > > > 7.0.1 / openejb.cxf.version 8 jar. > > > - [TOMEE-2941 < > > > https://issues.apache.org/jira/browse/TOMEE-2941>;;] > > > - > > > Regression: A connection factory created with > > > TransactionSupport > > > of "none" > > > only sending message when transaction completes > > > - [TOMEE-3777 < > > > https://issues.apache.org/jira/browse/TOMEE-3777>;;] > > > - > > > <openjpa-3.1.2-r66d2a72 fatal user error> > > > org.apache.openjpa.persistence.ArgumentException: The > > > persistence > > > provider > > > is attempting to use properties in the persistence.xml file to > > > resolve the > > > data source ... > > > - [TOMEE-3816 < > > > https://issues.apache.org/jira/browse/TOMEE-3816>;;] > > > - > > > Return "this" on stateless EJB method looses container > > > transaction > > > management > > > - [TOMEE-3823 < > > > https://issues.apache.org/jira/browse/TOMEE-3823>;;] > > > - > > > TomEE and Java 17 compatibility issue with Windows Service > > > Tooling > > > - [TOMEE-3825 < > > > https://issues.apache.org/jira/browse/TOMEE-3825>;;] > > > - > > > TomEE Maven Plugin does not wait for container startup, if > > > "checkStarted" > > > is set to true > > > - [TOMEE-3832 < > > > https://issues.apache.org/jira/browse/TOMEE-3832>;;] > > > - > > > JAX-RS TomEEJsonbProvider not registered in tomee-embedded- > > > maven- > > > plugin > > > when MicroProfile is present > > > > > > New Feature > > > > > > - [TOMEE-2306 < > > > https://issues.apache.org/jira/browse/TOMEE-2306>;;] > > > - New > > > Java EE Schemas for Java EE Deployment Descriptors > > > - [TOMEE-2584 < > > > https://issues.apache.org/jira/browse/TOMEE-2584>;;] > > > - Java > > > 11 compliancy > > > - [TOMEE-2706 < > > > https://issues.apache.org/jira/browse/TOMEE-2706>;;] > > > - New > > > TomEE Embedded Bootstrap > > > > > > Improvement > > > > > > - [TOMEE-1618 < > > > https://issues.apache.org/jira/browse/TOMEE-1618>;;] > > > - > > > Replace three register maps in Container in favour of one > > > - [TOMEE-2277 < > > > https://issues.apache.org/jira/browse/TOMEE-2277>;;] > > > - > > > Java11: module name for TomEE > > > - [TOMEE-2425 < > > > https://issues.apache.org/jira/browse/TOMEE-2425>;;] > > > - > > > Generate TomEE-Cluster.html page > > > - [TOMEE-2519 < > > > https://issues.apache.org/jira/browse/TOMEE-2519>;;] > > > - MP > > > JWT Logging Improvements > > > - [TOMEE-2847 < > > > https://issues.apache.org/jira/browse/TOMEE-2847>;;] > > > - > > > Patch key `jakarta` namespace support > > > - [TOMEE-2949 < > > > https://issues.apache.org/jira/browse/TOMEE-2949>;;] > > > - > > > Match TomEE tar and zip file syntax with extracted folder > > > - [TOMEE-3826 < > > > https://issues.apache.org/jira/browse/TOMEE-3826>;;] > > > - Add > > > exclusion list maven config for patch plugin to preserve jars > > > with > > > signature > > > > > > Wish > > > > > > - [TOMEE-2347 < > > > https://issues.apache.org/jira/browse/TOMEE-2347>;;] > > > - Use > > > Asciidoc for all Javadoc > > > > > > Task > > > > > > - [TOMEE-2285 < > > > https://issues.apache.org/jira/browse/TOMEE-2285>;;] > > > - > > > Microprofile Examples > > > - [TOMEE-2867 < > > > https://issues.apache.org/jira/browse/TOMEE-2867>;;] > > > - Add > > > Documentation links to website download page > > > - [TOMEE-2868 < > > > https://issues.apache.org/jira/browse/TOMEE-2868>;;] > > > - Add > > > instructions on each example page > > > - [TOMEE-3724 < > > > https://issues.apache.org/jira/browse/TOMEE-3724>;;] > > > - > > > Remove TomEE drop-in webapp distributions > > > > > > Dependency upgrade > > > > > > - [TOMEE-2630 < > > > https://issues.apache.org/jira/browse/TOMEE-2630>;;] > > > - > > > update to latest geronimo-jsonb_1.0-spec > > > - [TOMEE-2765 < > > > https://issues.apache.org/jira/browse/TOMEE-2765>;;] > > > - > > > ShrinkWrap Maven Resolver 3.1.4 > > > - [TOMEE-3723 < > > > https://issues.apache.org/jira/browse/TOMEE-3723>;;] > > > - > > > Upgrade to commons-lang3 3.12.0 > > > - [TOMEE-3800 < > > > https://issues.apache.org/jira/browse/TOMEE-3800>;;] > > > - DBCP > > > 2.9.0 > > > - [TOMEE-3828 < > > > https://issues.apache.org/jira/browse/TOMEE-3828>;;] > > > - > > > Upgrade to Tomcat 9.0.58 > > > - [TOMEE-3829 < > > > https://issues.apache.org/jira/browse/TOMEE-3829>;;] > > > - > > > Upgrade Log4J2 to 2.17.1 in log4j2-tomee utils module > > > - [TOMEE-3830 < > > > https://issues.apache.org/jira/browse/TOMEE-3830>;;] > > > - > > > Upgrade BatchEE to 1.0.1 > > > - [TOMEE-3835 < > > > https://issues.apache.org/jira/browse/TOMEE-3835>;;] > > > - > > > Apache OpenWebBeans 2.0.26 > > > - [TOMEE-3836 < > > > https://issues.apache.org/jira/browse/TOMEE-3836>;;] > > > - > > > Apache Johnzon 1.2.16 > > > - [TOMEE-3837 < > > > https://issues.apache.org/jira/browse/TOMEE-3837>;;] > > > - > > > Apache OpenJPA 3.2.1 > > > > > > Documentation > > > > > > - [TOMEE-2293 < > > > https://issues.apache.org/jira/browse/TOMEE-2293>;;] > > > - The > > > README.md's on many of the CDI examples requires some clean > > > up. > > > - [TOMEE-2303 < > > > https://issues.apache.org/jira/browse/TOMEE-2303>;;] > > > - Add > > > technical documentation to main TomEE repo > > > - [TOMEE-2852 < > > > https://issues.apache.org/jira/browse/TOMEE-2852>;;] > > > - > > > Create session of documentation for Tomee Docker > > > > > > > > > (Developers - please review and adjust your tickets if > > > necessary!) > > > > > > Please VOTE: > > > > > > [+1] Yes, release it > > > [+0] Not fussed > > > [-1] Don't release, there's a showstopper (please specify what > > > the > > > showstopper is) > > > > > > Vote will be open for 72 hours. > > > > > > Thanks > > > -- > > > Jean-Louis Monteiro > > > http://twitter.com/jlouismonteiro > > > http://www.tomitribe.com -- Richard Zowalla, M.Sc. Research Associate, PhD Student | Medical Informatics Hochschule Heilbronn – University of Applied Sciences Max-Planck-Str. 39 D-74081 Heilbronn phone: +49 7131 504 6791 (zur Zeit nicht via Telefon erreichbar) mail: [email protected] web: https://www.mi.hs-heilbronn.de/
smime.p7s
Description: S/MIME cryptographic signature
