Hi all, Don't want to hijack the other thread, so starting a new one based on the discussion.
I don't think releasing a "last 7.1.x" version with CVEs would be of > any good I join Alex on this one. Does it really make sense to release a TomEE app server with known CVEs? I'm not arguing on the grype output and the validity or not of the report. But overall, we do have EOL libraries in there and we know we won't get patches even for CVEs for CXF and other libraries. > @Alex Thanks. We might not be able to address all CVEs as some of the libs used for EE7 aren't patched / updated anymore. I will have a look. This is also your point Richard. Based on this, does it mean we should call 7.1.x EOL and stop producing releases? The path to TomEE 8.x is pretty straightforward and backward compatible so it's not like moving from 8.x to 9.x. What do you think? -- Jean-Louis Monteiro http://twitter.com/jlouismonteiro http://www.tomitribe.com ---------- Forwarded message --------- From: Zowalla, Richard <[email protected]> Date: Tue, Aug 2, 2022 at 3:48 PM Subject: [CANCEL] [VOTE] Apache TomEE 7.1.5 To: [email protected] <[email protected]> Hi, thanks for the concerns raised. Better to check the CVE report and do a re-roll ;-) @JL: Will take a look. @Alex Thanks. We might not be able to address all CVEs as some of the libs used for EE7 aren't patched / updated anymore. I will have a look. Gruß Richard ________________________________ Von: Jean-Louis Monteiro <[email protected]> Gesendet: Dienstag, 2. August 2022 15:30:31 An: [email protected] Betreff: Re: [VOTE] Apache TomEE 7.1.5 -1 (binding) Something went bad during the release. Looks like our libs are still 1.7.5-SNAPSHOT. -- Jean-Louis Monteiro http://twitter.com/jlouismonteiro http://www.tomitribe.com On Tue, Aug 2, 2022 at 2:37 PM Alex The Rocker <[email protected]> wrote: > Hello, > > [-1] (non binding) > > Indeed, I downloaded TomEE+ 7.1.5 binary (from > > https://dist.apache.org/repos/dist/dev/tomee/staging-1206/tomee-7.1.5/apache-tomee-7.1.5-plus.tar.gz > ) > and then I ran Grype (https://github.com/anchore/grype) on TomEE+'s > archive extract directory. > > That gives 2 Critical and 125 High CVEs (see attached Grype output for > this scan). > > I agree with whoever will say that Grype isn't quite smart, but > nevertheless the world is now paranoid with security matter. > > I don't think releasing a "last 7.1.x" version with CVEs would be of > any good, so Grype's output is all false positive, then at least we > need a statement to avoid confusion in this page: > https://tomee.apache.org/security/tomee.html > > Please also note in attached Grype output the Warning lines related to > archive-xbean-asm6-shaded-4.8.jar: isn't that showing a somehow > malformed MANIFEST ? > > Thanks, > Alex > > Le lun. 1 août 2022 à 19:35, Richard Zowalla <[email protected]> a écrit : > > > > Hi all, > > > > this is a first attempt at a vote for a release of Apache TomEE 7.1.5 > > > > It is a maintenance release with some bug fixes and dependencies > > upgrades for which were was some interest on the list. > > > > Yet, a discussion, if this will be the last release of the 7.1.x > > series, is pending. > > > > Here are some infos: > > > > Maven Repo: > > https://repository.apache.org/content/repositories/orgapachetomee-1206 > > > > <repositories> > > <repository> > > <id>tomee-7.1.5-release-test</id> > > <name>Testing TomEE 7.1.5 release candidate</name> > > <url> > > https://repository.apache.org/content/repositories/orgapachetomee-1206 > > </url> > > </repository> > > </repositories> > > > > > > Binaries & Source: > > https://dist.apache.org/repos/dist/dev/tomee/staging-1206/ > > > > Tag: > > https://github.com/apache/tomee/tree/tomee-project-7.1.5 > > > > Latest (green) CI/CD build: > > > > https://ci-builds.apache.org/job/Tomee/job/tomee-7.1.x/19/ > > > > Release notes: > > > https://issues.apache.org/jira/secure/ReleaseNote.jspa?projectId=12312320&version=12349482 > > > > > > Here is an adoc generated version of the changelog as well: > > > > > > == Dependency upgrade > > > > [.compact] > > - link:https://issues.apache.org/jira/browse/TOMEE-2959[TOMEE-959]2 j > > ackson 2.12.0 > > - link:https://issues.apache.org/jira/browse/TOMEE-3941[TOMEE-3941] > > ActiveMQ 5.16.5 > > - link:https://issues.apache.org/jira/browse/TOMEE-3985[TOMEE-3985] > > BatchEE 1.0.2 > > - link:https://issues.apache.org/jira/browse/TOMEE-3772[TOMEE-3772] > > JUnit 4.13.2 > > - link:https://issues.apache.org/jira/browse/TOMEE-2979[TOMEE-2979] > > MyFaces 2.2.14 > > - link:https://issues.apache.org/jira/browse/TOMEE-4016[TOMEE-4016] > > Myfaces 2.2.15 > > - link:https://issues.apache.org/jira/browse/TOMEE-2958[TOMEE-2958] > > Tomcat 8.5.61 > > - link:https://issues.apache.org/jira/browse/TOMEE-4017[TOMEE-4017] > > Tomcat 8.5.81 > > - link:https://issues.apache.org/jira/browse/TOMEE-2939[TOMEE-2939] > > bcprov-jdk15on 1.67 > > - link:https://issues.apache.org/jira/browse/TOMEE-4018[TOMEE-4018] > > bcprov-jdk15on 1.70 > > - link:https://issues.apache.org/jira/browse/TOMEE-3719[TOMEE-3719] > > commons-io 2.8 > > > > == Bug > > > > [.compact] > > - link:https://issues.apache.org/jira/browse/TOMEE-2919[TOMEE-2919] > > java.util.ConcurrentModificationException error deploying ear in TomEE > Plus 7.1.4 > > - link:https://issues.apache.org/jira/browse/TOMEE-2968[TOMEE-2968] > > Postgres connection error when a password contains "}" > > - link:https://issues.apache.org/jira/browse/TOMEE-2125[TOMEE-2125] > > Datasource config: MaxWait, timeBetweenEvictionRunsMillis and > MinEvictableIdleTimeMillis are ignored > > - link:https://issues.apache.org/jira/browse/TOMEE-3718[TOMEE-3718] > > Missing mime mappings > > > > == Improvement > > > > [.compact] > > - link:https://issues.apache.org/jira/browse/TOMEE-2957[TOMEE-2957] > > Fix OWASP Checks on ASF Jenkins Environment > > - link:https://issues.apache.org/jira/browse/TOMEE-2973[TOMEE-2973] > > TomEE :: Examples :: JSF2/CDI/BV/JPA/DeltaSpike uses too old version of > commons-lang3 > > > > > > Please VOTE > > > > [+1] go ship it > > [+0] meh, don't care > > [-1] stop, there is a ${showstopper} > > > > The VOTE is open for 72h or as long as needed. > > > > Gruß > > Richard > > >
