Hi, a short update here. Looks like we are +1 for doing a release rather soon than later.
Swell and myself did some dependency updates in the last days. I think, that we are in a good shape soon but need to address the following things: (A) BVAL 2.0.6 Currently, we have one bval tck test failing in TomEE, which is similar to [1]. I asked JL on Slack for help as he seems to be the person who solved it in [1]. Otherwise, we might revert the upgrade. (B) TOMEE-4066 Jackson seems to be affected by CVE-2022-42004 and CVE-2022-42003. The latter requires 2.14.0-rc1 as a fixed version. 2.14.0 final is planned for mid october [2], so we either ship with rc1 or wait until mid october. Gruß Richard [1] https://www.mail-archive.com/[email protected]/msg14542.html [2] https://groups.google.com/g/jackson-dev/c/RuiMDNM3vpQ/m/FgLnTxBPAwAJ Am Donnerstag, dem 29.09.2022 um 10:22 +0100 schrieb Jonathan Gallimore: > +1. And yes, this willinclude the fix to mitigate CVE-2021-43980. > > Jon > > On Wed, Sep 28, 2022 at 6:45 PM Alex The Rocker <[email protected] > > > wrote: > > > Hi there, > > > > +1 for a TomEE 8.013 ASAP provided it includes fix for: > > > > CVE-2021-43980 Apache Tomcat - Information Disclosure > > > > Kind regards, > > Alex > > > > Le mer. 28 sept. 2022 à 18:45, Zowalla, Richard > > <[email protected]> a écrit : > > > Hi all, > > > > > > our last 8.x release was in June and we have 22 pending > > > updates/issues > > > for 8.0.13. Mostly dependency updates (johnzon, dbcp2, myfaces, > > > hsqldb, > > > tomcat, jakarta faces), and some minor bugs (windows, jdk17+ > > > related > > > backports), see below. > > > > > > We might need to go through the 3rd party libs again and see, if > > > there > > > are additional updates we might want to include. > > > > > > Would be worth to do a release soon (Mid/End of October?), imho. > > > > > > Is there anything else we should include / patch before doing a > > > 8.0.13? > > > Any objections? > > > > > > Wdyt? > > > > > > Gruß > > > Richard > > > > > > > > > == Dependency upgrade > > > > > > [.compact] > > > - link: > > > https://issues.apache.org/jira/browse/TOMEE-3985[TOMEE-3985] > > BatchEE 1.0.2 > > > - link: > > > https://issues.apache.org/jira/browse/TOMEE-3800[TOMEE-3800] > > DBCP 2.9.0 > > > - link: > > > https://issues.apache.org/jira/browse/TOMEE-3986[TOMEE-3986] > > Hibernate Integration 5.6.9.Final > > > - link: > > > https://issues.apache.org/jira/browse/TOMEE-4042[TOMEE-4042] > > Jackson 2.13.4 > > > - link: > > > https://issues.apache.org/jira/browse/TOMEE-4020[TOMEE-4020] > > Jakarta Faces 2.3.18 > > > - link: > > > https://issues.apache.org/jira/browse/TOMEE-4026[TOMEE-4026] > > Johnzon 1.2.19 > > > - link: > > > https://issues.apache.org/jira/browse/TOMEE-4030[TOMEE-4030] > > Log4J2 2.18.0 > > > - link: > > > https://issues.apache.org/jira/browse/TOMEE-3998[TOMEE-3998] > > MyFaces 2.3.10 > > > - link: > > > https://issues.apache.org/jira/browse/TOMEE-4044[TOMEE-4044] > > Snakeyaml 1.32 > > > - link: > > > https://issues.apache.org/jira/browse/TOMEE-4002[TOMEE-4002] > > Tomcat 9.0.64 > > > - link: > > > https://issues.apache.org/jira/browse/TOMEE-4051[TOMEE-4051] > > Tomcat 9.0.65 > > > - link: > > > https://issues.apache.org/jira/browse/TOMEE-4018[TOMEE-4018] > > bcprov-jdk15on 1.70 > > > == Bug > > > > > > [.compact] > > > - link: > > > https://issues.apache.org/jira/browse/TOMEE-4021[TOMEE-4021] > > Unexpected ehcache 3.8.1 in tomee/lib > > > - link: > > > https://issues.apache.org/jira/browse/TOMEE-4014[TOMEE-4014] > > Unable to see TomEE version in Tomcat home page with Java 17 > > > - link: > > > https://issues.apache.org/jira/browse/TOMEE-4019[TOMEE-4019] > > HSQLDB 2.7.0 > > > - link: > > > https://issues.apache.org/jira/browse/TOMEE-3979[TOMEE-3979] > > service.bat issue when using JRE_HOME on Windows > > > - link: > > > https://issues.apache.org/jira/browse/TOMEE-4041[TOMEE-4041] 4 > > CVE Vulnerabilities in snakeyaml-1.30.jar > > > - link: > > > https://issues.apache.org/jira/browse/TOMEE-4001[TOMEE-4001] > > CVE-2022-34305 displaying user provided data without filtering, > > exposing a > > XSS vulnerability > > > == Improvement > > > > > > [.compact] > > > - link: > > > https://issues.apache.org/jira/browse/TOMEE-4000[TOMEE-4000] > > Add security.txt to website > > > - link: > > > https://issues.apache.org/jira/browse/TOMEE-3878[TOMEE-3878] > > Backport TOMEE-3877 to TomEE 8.x > > > - link: > > > https://issues.apache.org/jira/browse/TOMEE-3914[TOMEE-3914] > > Spring 3 Dependencies in TomEE Root POM > > > == Task > > > > > > [.compact] > > > - link: > > > https://issues.apache.org/jira/browse/TOMEE-4022[TOMEE-4022] > > Move to Apache Rat > > > == Fixed Common Vulnerabilities and Exposures (CVEs) > > > > > > [.compact] > > > - link: > > > https://issues.apache.org/jira/browse/TOMEE-4041[TOMEE-4041] 4 > > CVE Vulnerabilities in snakeyaml-1.30.jar > > > - link: > > > https://issues.apache.org/jira/browse/TOMEE-4001[TOMEE-4001] > > CVE-2022-34305 displaying user provided data without filtering, > > exposing a > > XSS vulnerability > >
smime.p7s
Description: S/MIME cryptographic signature
