Hi there, +1 for a TomEE 8.013 ASAP provided it includes fix for:
CVE-2021-43980 Apache Tomcat - Information Disclosure Kind regards, Alex Le mer. 28 sept. 2022 à 18:45, Zowalla, Richard <[email protected]> a écrit : > > Hi all, > > our last 8.x release was in June and we have 22 pending updates/issues > for 8.0.13. Mostly dependency updates (johnzon, dbcp2, myfaces, hsqldb, > tomcat, jakarta faces), and some minor bugs (windows, jdk17+ related > backports), see below. > > We might need to go through the 3rd party libs again and see, if there > are additional updates we might want to include. > > Would be worth to do a release soon (Mid/End of October?), imho. > > Is there anything else we should include / patch before doing a 8.0.13? > Any objections? > > Wdyt? > > Gruß > Richard > > > == Dependency upgrade > > [.compact] > - link:https://issues.apache.org/jira/browse/TOMEE-3985[TOMEE-3985] BatchEE > 1.0.2 > - link:https://issues.apache.org/jira/browse/TOMEE-3800[TOMEE-3800] DBCP > 2.9.0 > - link:https://issues.apache.org/jira/browse/TOMEE-3986[TOMEE-3986] > Hibernate Integration 5.6.9.Final > - link:https://issues.apache.org/jira/browse/TOMEE-4042[TOMEE-4042] Jackson > 2.13.4 > - link:https://issues.apache.org/jira/browse/TOMEE-4020[TOMEE-4020] Jakarta > Faces 2.3.18 > - link:https://issues.apache.org/jira/browse/TOMEE-4026[TOMEE-4026] Johnzon > 1.2.19 > - link:https://issues.apache.org/jira/browse/TOMEE-4030[TOMEE-4030] Log4J2 > 2.18.0 > - link:https://issues.apache.org/jira/browse/TOMEE-3998[TOMEE-3998] MyFaces > 2.3.10 > - link:https://issues.apache.org/jira/browse/TOMEE-4044[TOMEE-4044] > Snakeyaml 1.32 > - link:https://issues.apache.org/jira/browse/TOMEE-4002[TOMEE-4002] Tomcat > 9.0.64 > - link:https://issues.apache.org/jira/browse/TOMEE-4051[TOMEE-4051] Tomcat > 9.0.65 > - link:https://issues.apache.org/jira/browse/TOMEE-4018[TOMEE-4018] > bcprov-jdk15on 1.70 > > == Bug > > [.compact] > - link:https://issues.apache.org/jira/browse/TOMEE-4021[TOMEE-4021] > Unexpected ehcache 3.8.1 in tomee/lib > - link:https://issues.apache.org/jira/browse/TOMEE-4014[TOMEE-4014] Unable > to see TomEE version in Tomcat home page with Java 17 > - link:https://issues.apache.org/jira/browse/TOMEE-4019[TOMEE-4019] HSQLDB > 2.7.0 > - link:https://issues.apache.org/jira/browse/TOMEE-3979[TOMEE-3979] > service.bat issue when using JRE_HOME on Windows > - link:https://issues.apache.org/jira/browse/TOMEE-4041[TOMEE-4041] 4 CVE > Vulnerabilities in snakeyaml-1.30.jar > - link:https://issues.apache.org/jira/browse/TOMEE-4001[TOMEE-4001] > CVE-2022-34305 displaying user provided data without filtering, exposing a > XSS vulnerability > > == Improvement > > [.compact] > - link:https://issues.apache.org/jira/browse/TOMEE-4000[TOMEE-4000] Add > security.txt to website > - link:https://issues.apache.org/jira/browse/TOMEE-3878[TOMEE-3878] Backport > TOMEE-3877 to TomEE 8.x > - link:https://issues.apache.org/jira/browse/TOMEE-3914[TOMEE-3914] Spring 3 > Dependencies in TomEE Root POM > > == Task > > [.compact] > - link:https://issues.apache.org/jira/browse/TOMEE-4022[TOMEE-4022] Move to > Apache Rat > > == Fixed Common Vulnerabilities and Exposures (CVEs) > > [.compact] > - link:https://issues.apache.org/jira/browse/TOMEE-4041[TOMEE-4041] 4 CVE > Vulnerabilities in snakeyaml-1.30.jar > - link:https://issues.apache.org/jira/browse/TOMEE-4001[TOMEE-4001] > CVE-2022-34305 displaying user provided data without filtering, exposing a > XSS vulnerability
