Thanks for your time and detailed testing! Gruß Richard
Am Donnerstag, dem 13.10.2022 um 17:10 +0200 schrieb Alex The Rocker: > [+1] (non binding) > Tested TomEE+ 8.0.13 with our web apps in VMs including using > embedded ActiveMQ, also using servlets, JAX-RS, JAX-WS, JMS and > Websockets on Linux CentOS 7.9 with IBM Semeru 17.0.4 as the Java > runtime > + > Tested in Container-based services with same stack > > No problems found ! > > Disclaimer: I haven't yet tested the embedded tomee with Arquillian > (I > probably won't have time before vote ends) > > Alex > > Le mer. 12 oct. 2022 à 09:14, Zowalla, Richard > <richard.zowa...@hs-heilbronn.de> a écrit : > > Hi Alex, > > > > I can confirm, that 2.14.0-rc1 fixes the vulnerability as I cherry- > > picked the related fixes to an upcoming 2.13.4.1 (micro patch > > version) > > yesterday. My PR was merged in earlier today. > > > > The issue is, that the fix version is set to 2.14.0 in the CVE > > itself > > although it is included in 2.14.0-rc1. This is due to the fact, > > that > > the jackson people do not want a widespread use of rc1 due to the > > security vulnerability as it only affectes users if > > 'UNWRAP_SINGLE_VALUE_ARRAYS' is set to enabled. > > > > I can add a related sentence to the release notes. In addition, I > > will > > add a statement regarding hsqldb 2.7.1, which doesn't show up in > > grype > > at all. > > > > Gruß > > Richard > > > > > > > > Am Mittwoch, dem 12.10.2022 um 08:49 +0200 schrieb Alex The Rocker: > > > Hello Again, > > > > > > Completed some basic tests with TomEE+ 8.0.13 (more complex tests > > > to > > > come), but also I ran https://github.com/anchore/grype latest > > > version > > > on TomEE+ 8.0.12 versus this candidate 8.0.13, with focus on > > > Jackson > > > CVEs, and here's the outcome: > > > > > > With TomEE+ 8.0.12, the jackson-databind-2.13.2.2.jar file was > > > found > > > to have the following vulnerabilities: > > > CVE-2022-42003 > > > CVE-2022-42004 > > > GHSA-jjjh-jjxp-wpff > > > GHSA-rgv9-q543-rqg4 > > > > > > With TomEE+ 8.0.13 candidate release, jackson-databind-2.14.0- > > > rc1.jar > > > file file was found to have the following vulnerabilities: > > > CVE-2022-42003 > > > > > > which is bizarre because according to > > > https://nvd.nist.gov/vuln/detail/CVE-2022-42003, 2.14.0-rc1 is > > > supposed to fix CVE-2022-42003. > > > > > > I know that Grype isn't perfect, but problem is that it is widely > > > used, so if you are sure that this is a false positive, then can > > > you > > > please provide a statement about it in release notes and/or in > > > documentation, to avoid users' confusion? > > > > > > PS: CVE-2022-42003 is rated 7.5 (High) by > > > https://nvd.nist.gov/vuln/detail/CVE-2022-42003, so it's not > > > quite > > > TomEE 8.0.13 could be released without a word about it... > > > > > > I will send my vote when I'll have completed my more advanced > > > tests > > > with 8.0.13 candidate release. > > > > > > Thanks, > > > Alex > > > > > > Le mar. 11 oct. 2022 à 22:28, Zowalla, Richard > > > <richard.zowa...@hs-heilbronn.de> a écrit : > > > > Good catch. This is expected: > > > > > > > > https://issues.apache.org/jira/browse/TOMEE-4021 > > > > > > > > or > > > > > > > > https://lists.apache.org/thread/8tky9dr2sf99cs2hrj95j81w1rhrtdfn > > > > > > > > Gruß > > > > Richard > > > > > > > > Am Dienstag, dem 11.10.2022 um 22:23 +0200 schrieb Alex The > > > > Rocker: > > > > > okay I probably make a mistake somewhere. > > > > > Also I see ehcache*.jar is removed in TomEE+ 8.0.13 => is it > > > > > intentional (I love seeing less JARs;) ? > > > > > > > > > > Alex > > > > > > > > > > Le mar. 11 oct. 2022 à 22:17, Zowalla, Richard > > > > > <richard.zowa...@hs-heilbronn.de> a écrit : > > > > > > I am currently not on my dev system but I checked via: > > > > > > > > > > > > $ gpg --batch --keyserver hkp://keyserver.ubuntu.com:80 -- > > > > > > recv- > > > > > > keys > > > > > > B83D15E72253ED1104EB4FBBDAB472F0E5B8A431 > > > > > > > > > > > > $ gpg --verify apache-tomee-8.0.13-plus.tar.gz.asc apache- > > > > > > tomee- > > > > > > 8.0.13- > > > > > > plus.tar.gz > > > > > > > > > > > > gpg: Signatur vom Di 11 Okt 2022 13:14:04 CEST > > > > > > gpg: mittels RSA-Schlüssel > > > > > > B83D15E72253ED1104EB4FBBDAB472F0E5B8A431 > > > > > > gpg: Korrekte Signatur von "Richard Zowalla (Code Signing > > > > > > Key) > > > > > > <r...@apache.org>" [unbekannt] > > > > > > > > > > > > > > > > > > Gruß > > > > > > Richard > > > > > > > > > > > > Am Dienstag, dem 11.10.2022 um 22:04 +0200 schrieb Alex The > > > > > > Rocker: > > > > > > > Sorry previous mail sent too quickly. > > > > > > > > > > > > > > What's wrong here ? > > > > > > > > > > > > > > $ gpg --verify /tmp/tomee8013.asc apache-tomee-8.0.13- > > > > > > > plus.tar.gz > > > > > > > gpg: Signature made Tue 11 Oct 2022 01:14:04 PM CEST > > > > > > > using > > > > > > > RSA > > > > > > > key ID > > > > > > > E5B8A431 > > > > > > > gpg: Can't check signature: No public key > > > > > > > > > > > > > > Le mar. 11 oct. 2022 à 22:03, Alex The Rocker > > > > > > > <alex.m3...@gmail.com> > > > > > > > a écrit : > > > > > > > > Hum... what's wrong here: > > > > > > > > > > > > > > > > Le mar. 11 oct. 2022 à 21:22, Alex The Rocker > > > > > > > > <alex.m3...@gmail.com> a écrit : > > > > > > > > > +1 for more frequent releases (at least based on CVE > > > > > > > > > with > > > > > > > > > at > > > > > > > > > least > > > > > > > > > high severity) > > > > > > > > > and yes, I have a relatively large test base ; stay > > > > > > > > > tuned! > > > > > > > > > > > > > > > > > > Le mar. 11 oct. 2022 à 21:16, Richard Zowalla > > > > > > > > > <r...@apache.org> a > > > > > > > > > écrit : > > > > > > > > > > Hi Alex, > > > > > > > > > > > > > > > > > > > > we can maybe get into the habit of realising more > > > > > > > > > > often > > > > > > > > > > (yes, I > > > > > > > > > > know: > > > > > > > > > > we discussed this over and over on the list...). > > > > > > > > > > > > > > > > > > > > I was just copying from the VOTE template docs, > > > > > > > > > > which > > > > > > > > > > mention > > > > > > > > > > to write > > > > > > > > > > "first attempt" and so on... - so no regrets just > > > > > > > > > > copy > > > > > > > > > > & > > > > > > > > > > paste. > > > > > > > > > > > > > > > > > > > > I don't expect any suprises but we never know: I > > > > > > > > > > did > > > > > > > > > > some > > > > > > > > > > tests > > > > > > > > > > on some > > > > > > > > > > of our projects (jaxrs, jaxws, batche, ...) but I > > > > > > > > > > have > > > > > > > > > > no > > > > > > > > > > possibility > > > > > > > > > > to do large scale tests as you can do them ;-) - so > > > > > > > > > > happy > > > > > > > > > > to > > > > > > > > > > get some > > > > > > > > > > feedback. > > > > > > > > > > > > > > > > > > > > The CXF cleanup might be a candidate for > > > > > > > > > > regressions as > > > > > > > > > > we > > > > > > > > > > shipped > > > > > > > > > > older code under the covers of newer cxf versions > > > > > > > > > > and > > > > > > > > > > didn't > > > > > > > > > > notice > > > > > > > > > > that for some time now. > > > > > > > > > > > > > > > > > > > > Gruß > > > > > > > > > > Richard > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > Am Dienstag, dem 11.10.2022 um 21:05 +0200 schrieb > > > > > > > > > > Alex > > > > > > > > > > The > > > > > > > > > > Rocker: > > > > > > > > > > > Hi Richard, > > > > > > > > > > > > > > > > > > > > > > Thanks for this quick TomEE 8.0.3 release after > > > > > > > > > > > not > > > > > > > > > > > so > > > > > > > > > > > long > > > > > > > > > > > discussions! > > > > > > > > > > > I'll run some tests ASAP and then give my vote > > > > > > > > > > > (non- > > > > > > > > > > > binding). > > > > > > > > > > > Why do you mention "1st attempt"? Any regrets ? > > > > > > > > > > > > > > > > > > > > > > Alex > > > > > > > > > > > > > > > > > > > > > > Le mar. 11 oct. 2022 à 20:01, Richard Zowalla > > > > > > > > > > > <r...@apache.org> a > > > > > > > > > > > écrit : > > > > > > > > > > > > Hi all, > > > > > > > > > > > > > > > > > > > > > > > > this is a first attempt at a vote for a release > > > > > > > > > > > > of > > > > > > > > > > > > Apache > > > > > > > > > > > > TomEE > > > > > > > > > > > > 8.0.13. > > > > > > > > > > > > > > > > > > > > > > > > It is a maintenance release with some bug fixes > > > > > > > > > > > > and > > > > > > > > > > > > dependencies > > > > > > > > > > > > upgrades. > > > > > > > > > > > > > > > > > > > > > > > > ############### > > > > > > > > > > > > > > > > > > > > > > > > Maven Repo: > > > > > > > > > > > > https://repository.apache.org/content/repositories/orgapachetomee-1207 > > > > > > > > > > > > > > > > > > > > > > > > <repositories> > > > > > > > > > > > > <repository> > > > > > > > > > > > > <id>tomee-8.0.13-release-test</id> > > > > > > > > > > > > <name>Testing TomEE 8.0.13 release > > > > > > > > > > > > candidate</name> > > > > > > > > > > > > <url> > > > > > > > > > > > > https://repository.apache.org/content/repositories/orgapachetomee-1207 > > > > > > > > > > > > </url> > > > > > > > > > > > > </repository> > > > > > > > > > > > > </repositories> > > > > > > > > > > > > > > > > > > > > > > > > ############### > > > > > > > > > > > > > > > > > > > > > > > > Binaries & Source: > > > > > > > > > > > > > > > > > > > > > > > > https://dist.apache.org/repos/dist/dev/tomee/staging-1207/tomee-8.0.13/ > > > > > > > > > > > > > > > > > > > > > > > > ############### > > > > > > > > > > > > > > > > > > > > > > > > Tag: > > > > > > > > > > > > > > > > > > > > > > > > https://github.com/apache/tomee/releases/tag/tomee-project-8.0.13 > > > > > > > > > > > > > > > > > > > > > > > > ############### > > > > > > > > > > > > > > > > > > > > > > > > Latest CI/CD build: > > > > > > > > > > > > > > > > > > > > > > > > https://ci-builds.apache.org/job/Tomee/job/tomee-8.x-build-full/226/ > > > > > > > > > > > > > > > > > > > > > > > > ############### > > > > > > > > > > > > > > > > > > > > > > > > Release notes: > > > > > > > > > > > > > > > > > > > > > > > > https://issues.apache.org/jira/secure/ReleaseNote.jspa?projectId=12312320&version=12351820 > > > > > > > > > > > > > > > > > > > > > > > > ############### > > > > > > > > > > > > > > > > > > > > > > > > Here is an adoc generated version of the > > > > > > > > > > > > changelog > > > > > > > > > > > > as > > > > > > > > > > > > well: > > > > > > > > > > > > > > > > > > > > > > > > == Dependency upgrade > > > > > > > > > > > > > > > > > > > > > > > > [.compact] > > > > > > > > > > > > - link: > > > > > > > > > > > > https://issues.apache.org/jira/browse/TOMEE-3985[TOMEE-3985] > > > > > > > > > > > > BatchEE 1.0.2 > > > > > > > > > > > > - link: > > > > > > > > > > > > https://issues.apache.org/jira/browse/TOMEE-4057[TOMEE-4057] > > > > > > > > > > > > CXF 3.4.8 > > > > > > > > > > > > - link: > > > > > > > > > > > > https://issues.apache.org/jira/browse/TOMEE-3800[TOMEE-3800] > > > > > > > > > > > > DBCP 2.9.0 > > > > > > > > > > > > - link: > > > > > > > > > > > > https://issues.apache.org/jira/browse/TOMEE-4059[TOMEE-4059] > > > > > > > > > > > > EclipseLink 2.7.11 > > > > > > > > > > > > - link: > > > > > > > > > > > > https://issues.apache.org/jira/browse/TOMEE-4063[TOMEE-4063] > > > > > > > > > > > > Geronimo Transaction Manager 3.1.5 > > > > > > > > > > > > - link: > > > > > > > > > > > > https://issues.apache.org/jira/browse/TOMEE-4019[TOMEE-4019] > > > > > > > > > > > > HSQLDB 2.7.0 > > > > > > > > > > > > - link: > > > > > > > > > > > > https://issues.apache.org/jira/browse/TOMEE-3986[TOMEE-3986] > > > > > > > > > > > > Hibernate Integration 5.6.9.Final > > > > > > > > > > > > - link: > > > > > > > > > > > > https://issues.apache.org/jira/browse/TOMEE-4042[TOMEE-4042] > > > > > > > > > > > > Jackson 2.13.4 > > > > > > > > > > > > - link: > > > > > > > > > > > > https://issues.apache.org/jira/browse/TOMEE-4067[TOMEE-4067] > > > > > > > > > > > > Jackson 2.14.0-rc1 > > > > > > > > > > > > - link: > > > > > > > > > > > > https://issues.apache.org/jira/browse/TOMEE-4020[TOMEE-4020] > > > > > > > > > > > > Jakarta Faces 2.3.18 > > > > > > > > > > > > - link: > > > > > > > > > > > > https://issues.apache.org/jira/browse/TOMEE-4026[TOMEE-4026] > > > > > > > > > > > > Johnzon 1.2.19 > > > > > > > > > > > > - link: > > > > > > > > > > > > https://issues.apache.org/jira/browse/TOMEE-4030[TOMEE-4030] > > > > > > > > > > > > Log4J2 2.18.0 > > > > > > > > > > > > - link: > > > > > > > > > > > > https://issues.apache.org/jira/browse/TOMEE-3998[TOMEE-3998] > > > > > > > > > > > > MyFaces 2.3.10 > > > > > > > > > > > > - link: > > > > > > > > > > > > https://issues.apache.org/jira/browse/TOMEE-4044[TOMEE-4044] > > > > > > > > > > > > Snakeyaml 1.32 > > > > > > > > > > > > - link: > > > > > > > > > > > > https://issues.apache.org/jira/browse/TOMEE-4054[TOMEE-4054] > > > > > > > > > > > > Snakeyaml 1.33 > > > > > > > > > > > > - link: > > > > > > > > > > > > https://issues.apache.org/jira/browse/TOMEE-4002[TOMEE-4002] > > > > > > > > > > > > Tomcat 9.0.64 > > > > > > > > > > > > - link: > > > > > > > > > > > > https://issues.apache.org/jira/browse/TOMEE-4051[TOMEE-4051] > > > > > > > > > > > > Tomcat 9.0.65 > > > > > > > > > > > > - link: > > > > > > > > > > > > https://issues.apache.org/jira/browse/TOMEE-4060[TOMEE-4060] > > > > > > > > > > > > Tomcat 9.0.67 > > > > > > > > > > > > - link: > > > > > > > > > > > > https://issues.apache.org/jira/browse/TOMEE-4087[TOMEE-4087] > > > > > > > > > > > > Tomcat 9.0.68 > > > > > > > > > > > > - link: > > > > > > > > > > > > https://issues.apache.org/jira/browse/TOMEE-4018[TOMEE-4018] > > > > > > > > > > > > bcprov-jdk15on 1.70 > > > > > > > > > > > > > > > > > > > > > > > > == New Feature > > > > > > > > > > > > > > > > > > > > > > > > [.compact] > > > > > > > > > > > > - link: > > > > > > > > > > > > https://issues.apache.org/jira/browse/TOMEE-3928[TOMEE-3928] > > > > > > > > > > > > Example for properties provider > > > > > > > > > > > > > > > > > > > > > > > > == Bug > > > > > > > > > > > > > > > > > > > > > > > > [.compact] > > > > > > > > > > > > - link: > > > > > > > > > > > > https://issues.apache.org/jira/browse/TOMEE-4021[TOMEE-4021] > > > > > > > > > > > > Unexpected ehcache 3.8.1 in tomee/lib > > > > > > > > > > > > - link: > > > > > > > > > > > > https://issues.apache.org/jira/browse/TOMEE-3850[TOMEE-3850] > > > > > > > > > > > > HTTP(S) connections are not reused > > > > > > > > > > > > - link: > > > > > > > > > > > > https://issues.apache.org/jira/browse/TOMEE-4014[TOMEE-4014] > > > > > > > > > > > > Unable to see TomEE version in Tomcat home page > > > > > > > > > > > > with > > > > > > > > > > > > Java > > > > > > > > > > > > 17 > > > > > > > > > > > > - link: > > > > > > > > > > > > https://issues.apache.org/jira/browse/TOMEE-3979[TOMEE-3979] > > > > > > > > > > > > service.bat issue when using JRE_HOME on > > > > > > > > > > > > Windows > > > > > > > > > > > > - link: > > > > > > > > > > > > https://issues.apache.org/jira/browse/TOMEE-4041[TOMEE-4041] > > > > > > > > > > > > 4 > > > > > > > > > > > > CVE Vulnerabilities in snakeyaml-1.30.jar > > > > > > > > > > > > - link: > > > > > > > > > > > > https://issues.apache.org/jira/browse/TOMEE-4001[TOMEE-4001] > > > > > > > > > > > > CVE-2022-34305 displaying user provided data > > > > > > > > > > > > without > > > > > > > > > > > > filtering, > > > > > > > > > > > > exposing a XSS vulnerability > > > > > > > > > > > > > > > > > > > > > > > > == Improvement > > > > > > > > > > > > > > > > > > > > > > > > [.compact] > > > > > > > > > > > > - link: > > > > > > > > > > > > https://issues.apache.org/jira/browse/TOMEE-3878[TOMEE-3878] > > > > > > > > > > > > Backport 'No interface view EJB proxies broken > > > > > > > > > > > > on > > > > > > > > > > > > JDK16+' > > > > > > > > > > > > [TOMEE- > > > > > > > > > > > > 3877] to TomEE 8.x > > > > > > > > > > > > > > > > > > > > > > > > == Task > > > > > > > > > > > > > > > > > > > > > > > > [.compact] > > > > > > > > > > > > - link: > > > > > > > > > > > > https://issues.apache.org/jira/browse/TOMEE-4064[TOMEE-4064] > > > > > > > > > > > > OpenJPA 3.2.2 (examples), EclipseLink 2.7.11 > > > > > > > > > > > > (examples), > > > > > > > > > > > > Derby > > > > > > > > > > > > 10.14.2.0 > > > > > > > > > > > > - link: > > > > > > > > > > > > https://issues.apache.org/jira/browse/TOMEE-4022[TOMEE-4022] > > > > > > > > > > > > Move to Apache Rat > > > > > > > > > > > > - link: > > > > > > > > > > > > https://issues.apache.org/jira/browse/TOMEE-4056[TOMEE-4056] > > > > > > > > > > > > Log4J2 2.19.0 > > > > > > > > > > > > - link: > > > > > > > > > > > > https://issues.apache.org/jira/browse/TOMEE-4058[TOMEE-4058] > > > > > > > > > > > > Update Krazo, DeltaSpike and Hibernate > > > > > > > > > > > > - link: > > > > > > > > > > > > https://issues.apache.org/jira/browse/TOMEE-3914[TOMEE-3914] > > > > > > > > > > > > Spring 3 Dependencies in TomEE Root POM > > > > > > > > > > > > - link: > > > > > > > > > > > > https://issues.apache.org/jira/browse/TOMEE-4088[TOMEE-4088] > > > > > > > > > > > > Add workaround for CVE-2022-41853 (hsqldb) > > > > > > > > > > > > > > > > > > > > > > > > == Documentation > > > > > > > > > > > > > > > > > > > > > > > > [.compact] > > > > > > > > > > > > - link: > > > > > > > > > > > > https://issues.apache.org/jira/browse/TOMEE-4023[TOMEE-4023] > > > > > > > > > > > > Comparison pages with wrong specs per profiles > > > > > > > > > > > > - link: > > > > > > > > > > > > https://issues.apache.org/jira/browse/TOMEE-3981[TOMEE-3981] > > > > > > > > > > > > update javadoc to reflect updates on Jakarta EE > > > > > > > > > > > > > > > > > > > > > > > > == Fixed Common Vulnerabilities and Exposures > > > > > > > > > > > > (CVEs) > > > > > > > > > > > > > > > > > > > > > > > > [.compact] > > > > > > > > > > > > - link: > > > > > > > > > > > > https://issues.apache.org/jira/browse/TOMEE-4041[TOMEE-4041] > > > > > > > > > > > > 4 > > > > > > > > > > > > CVE Vulnerabilities in snakeyaml-1.30.jar > > > > > > > > > > > > - link: > > > > > > > > > > > > https://issues.apache.org/jira/browse/TOMEE-4001[TOMEE-4001] > > > > > > > > > > > > CVE-2022-34305 displaying user provided data > > > > > > > > > > > > without > > > > > > > > > > > > filtering, > > > > > > > > > > > > exposing a XSS vulnerability > > > > > > > > > > > > - link: > > > > > > > > > > > > https://issues.apache.org/jira/browse/TOMEE-4088[TOMEE-4088] > > > > > > > > > > > > Add workaround for CVE-2022-41853 (hsqldb) > > > > > > > > > > > > > > > > > > > > > > > > ############### > > > > > > > > > > > > > > > > > > > > > > > > Here is the dependency diff from 8.0.12 to > > > > > > > > > > > > 8.0.13 > > > > > > > > > > > > created > > > > > > > > > > > > with > > > > > > > > > > > > David's > > > > > > > > > > > > new feature in our release tools: > > > > > > > > > > > > > > > > > > > > > > > > artifactId from > > > > > > > > > > > > to > > > > > > > > > > > > ------------------------------- ---------- ---- > > > > > > > > > > > > ---- > > > > > > > > > > > > ---- > > > > > > > > > > > > ---- > > > > > > > > > > > > --- > > > > > > > > > > > > jackson- > > > > > > > > > > > > annotations 2.13.2 2.14.0- > > > > > > > > > > > > rc1 > > > > > > > > > > > > jackson- > > > > > > > > > > > > core 2.13.2 2.14.0- > > > > > > > > > > > > rc1 > > > > > > > > > > > > jackson- > > > > > > > > > > > > databind 2.13.2.2 2.14.0- > > > > > > > > > > > > rc1 > > > > > > > > > > > > jackson-dataformat- > > > > > > > > > > > > yaml 2.13.2 2.14.0- > > > > > > > > > > > > rc1 > > > > > > > > > > > > commons- > > > > > > > > > > > > cli 1.4 1.5.0 > > > > > > > > > > > > batchee- > > > > > > > > > > > > jbatch 1.0.1 1.0.2 > > > > > > > > > > > > commons- > > > > > > > > > > > > dbcp2 2.3.0 2.9.0 > > > > > > > > > > > > cxf-rt-bindings- > > > > > > > > > > > > soap 3.4.5 3.4.8 > > > > > > > > > > > > cxf-rt-bindings- > > > > > > > > > > > > xml 3.4.5 3.4.8 > > > > > > > > > > > > cxf-rt-frontend- > > > > > > > > > > > > jaxws 3.4.5 3.4.8 > > > > > > > > > > > > cxf-rt-frontend- > > > > > > > > > > > > simple 3.4.5 3.4.8 > > > > > > > > > > > > cxf-rt- > > > > > > > > > > > > management 3.4.5 3.4.8 > > > > > > > > > > > > cxf-rt-rs-extension- > > > > > > > > > > > > providers 3.4.5 3.4.8 > > > > > > > > > > > > cxf-rt-rs-extension- > > > > > > > > > > > > search 3.4.5 3.4.8 > > > > > > > > > > > > cxf-rt-rs-json- > > > > > > > > > > > > basic 3.4.5 3.4.8 > > > > > > > > > > > > cxf-rt-rs-mp- > > > > > > > > > > > > client 3.4.5 3.4.8 > > > > > > > > > > > > cxf-rt-rs-security- > > > > > > > > > > > > cors 3.4.5 3.4.8 > > > > > > > > > > > > cxf-rt-rs-security- > > > > > > > > > > > > jose 3.4.5 3.4.8 > > > > > > > > > > > > cxf-rt-rs-security-jose- > > > > > > > > > > > > jaxrs 3.4.5 3.4.8 > > > > > > > > > > > > cxf-rt-rs-security- > > > > > > > > > > > > oauth2 3.4.5 3.4.8 > > > > > > > > > > > > cxf-rt-rs-service- > > > > > > > > > > > > description 3.4.5 3.4.8 > > > > > > > > > > > > cxf-rt-rs- > > > > > > > > > > > > sse 3.4.5 3.4.8 > > > > > > > > > > > > cxf-rt- > > > > > > > > > > > > security 3.4.5 3.4.8 > > > > > > > > > > > > cxf-rt-security- > > > > > > > > > > > > saml 3.4.5 3.4.8 > > > > > > > > > > > > cxf-rt-ws- > > > > > > > > > > > > addr 3.4.5 3.4.8 > > > > > > > > > > > > cxf-rt-ws- > > > > > > > > > > > > policy 3.4.5 3.4.8 > > > > > > > > > > > > cxf-rt-ws- > > > > > > > > > > > > security 3.4.5 3.4.8 > > > > > > > > > > > > cxf-rt- > > > > > > > > > > > > wsdl 3.4.5 3.4.8 > > > > > > > > > > > > geronimo- > > > > > > > > > > > > connector 3.1.4 3.1.5 > > > > > > > > > > > > geronimo- > > > > > > > > > > > > transaction 3.1.4 3.1.5 > > > > > > > > > > > > johnzon- > > > > > > > > > > > > core 1.2.18 1.2.19 > > > > > > > > > > > > johnzon- > > > > > > > > > > > > jaxrs 1.2.18 1.2.19 > > > > > > > > > > > > johnzon- > > > > > > > > > > > > jsonb 1.2.18 1.2.19 > > > > > > > > > > > > johnzon-jsonp- > > > > > > > > > > > > strict 1.2.18 1.2.19 > > > > > > > > > > > > johnzon- > > > > > > > > > > > > mapper 1.2.18 1.2.19 > > > > > > > > > > > > myfaces- > > > > > > > > > > > > api 2.3.9 2.3.10 > > > > > > > > > > > > myfaces- > > > > > > > > > > > > impl 2.3.9 2.3.10 > > > > > > > > > > > > cxf- > > > > > > > > > > > > shade 8.0.12 8.0.13 > > > > > > > > > > > > taglibs- > > > > > > > > > > > > shade 8.0.12 8.0.13 > > > > > > > > > > > > tomee- > > > > > > > > > > > > bootstrap 8.0.12 8.0.13 > > > > > > > > > > > > bcprov- > > > > > > > > > > > > jdk15on 1.69 1.70 > > > > > > > > > > > > eclipselink 2.7.9 2.7 > > > > > > > > > > > > .11 > > > > > > > > > > > > jakarta.faces 2.3.15 2.3 > > > > > > > > > > > > .18 > > > > > > > > > > > > hsqldb 2.5.2 2.7 > > > > > > > > > > > > .0 > > > > > > > > > > > > snakeyaml 1.30 1.3 > > > > > > > > > > > > 3 > > > > > > > > > > > > > > > > > > > > > > > > ############### > > > > > > > > > > > > > > > > > > > > > > > > Please note: > > > > > > > > > > > > > > > > > > > > > > > > (1) CVE-2022-42003 (jackson-databind): Users > > > > > > > > > > > > are > > > > > > > > > > > > only > > > > > > > > > > > > affected, if > > > > > > > > > > > > 'UNWRAP_SINGLE_VALUE_ARRAYS' is set to enabled. > > > > > > > > > > > > Mitigation > > > > > > > > > > > > is > > > > > > > > > > > > included > > > > > > > > > > > > in 2.14.0-rc1 - as discussed in a separate > > > > > > > > > > > > thread, > > > > > > > > > > > > we > > > > > > > > > > > > are > > > > > > > > > > > > "ok" to > > > > > > > > > > > > ship > > > > > > > > > > > > a RC version. We aim to do a follow up release > > > > > > > > > > > > of > > > > > > > > > > > > TomEE > > > > > > > > > > > > 8.x > > > > > > > > > > > > soon. > > > > > > > > > > > > > > > > > > > > > > > > (2) CVE-2022-41853 (hsqldb): As v2.7.1 isn't > > > > > > > > > > > > available > > > > > > > > > > > > yet, > > > > > > > > > > > > TomEE > > > > > > > > > > > > sets > > > > > > > > > > > > "hsqldb.method_class_names" to an invalid value > > > > > > > > > > > > to > > > > > > > > > > > > mitigate > > > > > > > > > > > > the > > > > > > > > > > > > vulnerability. Users can override the property > > > > > > > > > > > > as > > > > > > > > > > > > needed. > > > > > > > > > > > > > > > > > > > > > > > > ############### > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > Please VOTE > > > > > > > > > > > > > > > > > > > > > > > > [+1] go ship it > > > > > > > > > > > > [+0] meh, don't care > > > > > > > > > > > > [-1] stop, there is a ${showstopper} > > > > > > > > > > > > > > > > > > > > > > > > The VOTE is open for 72h or as long as needed. > > > > > > > > > > > > > > > > > > > > > > > > Gruß > > > > > > > > > > > > Richard > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > >