Re: [VOTE] Apache TomEE 8.0.13 - First Attempt

Wiesner, Martin Sat, 15 Oct 2022 23:33:36 -0700

Hi all,

+1 (non-binding)


Tested with several projects (primarily web services, JSF…), 
both on Linux & Mac OS, each under OpenJDK 17 (latest).

Best
Martin
—
https://twitter.com/mawiesne <https://twitter.com/mawiesne>


> Am 15.10.2022 um 19:41 schrieb Daniel Dias Dos Santos 
> <daniel.dias.analist...@gmail.com>:
> 
> Hello,
> 
> +1
> 
> On Sat, Oct 15, 2022, 14:39 Richard Zowalla <r...@apache.org> wrote:
> 
>> Any more votes?
>> 
>> Am Dienstag, dem 11.10.2022 um 19:59 +0200 schrieb Richard Zowalla:
>>> Hi all,
>>> 
>>> this is a first attempt at a vote for a release of Apache TomEE
>>> 8.0.13.
>>> 
>>> It is a maintenance release with some bug fixes and dependencies
>>> upgrades.
>>> 
>>> ###############
>>> 
>>> Maven Repo:
>>> https://repository.apache.org/content/repositories/orgapachetomee-1207
>>> 
>>>  <repositories>
>>>    <repository>
>>>      <id>tomee-8.0.13-release-test</id>
>>>      <name>Testing TomEE 8.0.13 release candidate</name>
>>> <url>
>>> https://repository.apache.org/content/repositories/orgapachetomee-1207
>>> </url>
>>>    </repository>
>>>  </repositories>
>>> 
>>> ###############
>>> 
>>> Binaries & Source:
>>> 
>>> https://dist.apache.org/repos/dist/dev/tomee/staging-1207/tomee-8.0.13/
>>> 
>>> ###############
>>> 
>>> Tag:
>>> 
>>> https://github.com/apache/tomee/releases/tag/tomee-project-8.0.13
>>> 
>>> ###############
>>> 
>>> Latest CI/CD build:
>>> 
>>> https://ci-builds.apache.org/job/Tomee/job/tomee-8.x-build-full/226/
>>> 
>>> ###############
>>> 
>>> Release notes:
>>> 
>>> 
>> https://issues.apache.org/jira/secure/ReleaseNote.jspa?projectId=12312320&version=12351820
>>> 
>>> ###############
>>> 
>>> Here is an adoc generated version of the changelog as well:
>>> 
>>> == Dependency upgrade
>>> 
>>> [.compact]
>>> - link:https://issues.apache.org/jira/browse/TOMEE-3985[TOMEE-3985]
>>> BatchEE 1.0.2
>>> - link:https://issues.apache.org/jira/browse/TOMEE-4057[TOMEE-4057]
>>> CXF 3.4.8
>>> - link:https://issues.apache.org/jira/browse/TOMEE-3800[TOMEE-3800]
>>> DBCP 2.9.0
>>> - link:https://issues.apache.org/jira/browse/TOMEE-4059[TOMEE-4059]
>>> EclipseLink 2.7.11
>>> - link:https://issues.apache.org/jira/browse/TOMEE-4063[TOMEE-4063]
>>> Geronimo Transaction Manager 3.1.5
>>> - link:https://issues.apache.org/jira/browse/TOMEE-4019[TOMEE-4019]
>>> HSQLDB 2.7.0
>>> - link:https://issues.apache.org/jira/browse/TOMEE-3986[TOMEE-3986]
>>> Hibernate Integration 5.6.9.Final
>>> - link:https://issues.apache.org/jira/browse/TOMEE-4042[TOMEE-4042]
>>> Jackson 2.13.4
>>> - link:https://issues.apache.org/jira/browse/TOMEE-4067[TOMEE-4067]
>>> Jackson 2.14.0-rc1
>>> - link:https://issues.apache.org/jira/browse/TOMEE-4020[TOMEE-4020]
>>> Jakarta Faces 2.3.18
>>> - link:https://issues.apache.org/jira/browse/TOMEE-4026[TOMEE-4026]
>>> Johnzon 1.2.19
>>> - link:https://issues.apache.org/jira/browse/TOMEE-4030[TOMEE-4030]
>>> Log4J2 2.18.0
>>> - link:https://issues.apache.org/jira/browse/TOMEE-3998[TOMEE-3998]
>>> MyFaces 2.3.10
>>> - link:https://issues.apache.org/jira/browse/TOMEE-4044[TOMEE-4044]
>>> Snakeyaml 1.32
>>> - link:https://issues.apache.org/jira/browse/TOMEE-4054[TOMEE-4054]
>>> Snakeyaml 1.33
>>> - link:https://issues.apache.org/jira/browse/TOMEE-4002[TOMEE-4002]
>>> Tomcat 9.0.64
>>> - link:https://issues.apache.org/jira/browse/TOMEE-4051[TOMEE-4051]
>>> Tomcat 9.0.65
>>> - link:https://issues.apache.org/jira/browse/TOMEE-4060[TOMEE-4060]
>>> Tomcat 9.0.67
>>> - link:https://issues.apache.org/jira/browse/TOMEE-4087[TOMEE-4087]
>>> Tomcat 9.0.68
>>> - link:https://issues.apache.org/jira/browse/TOMEE-4018[TOMEE-4018]
>>> bcprov-jdk15on 1.70
>>> 
>>> == New Feature
>>> 
>>> [.compact]
>>> - link:https://issues.apache.org/jira/browse/TOMEE-3928[TOMEE-3928]
>>> Example for properties provider
>>> 
>>> == Bug
>>> 
>>> [.compact]
>>> - link:https://issues.apache.org/jira/browse/TOMEE-4021[TOMEE-4021]
>>> Unexpected ehcache 3.8.1 in tomee/lib
>>> - link:https://issues.apache.org/jira/browse/TOMEE-3850[TOMEE-3850]
>>> HTTP(S) connections are not reused
>>> - link:https://issues.apache.org/jira/browse/TOMEE-4014[TOMEE-4014]
>>> Unable to see TomEE version in Tomcat home page with Java 17
>>> - link:https://issues.apache.org/jira/browse/TOMEE-3979[TOMEE-3979]
>>> service.bat issue when using JRE_HOME on Windows
>>> - link:https://issues.apache.org/jira/browse/TOMEE-4041[TOMEE-4041]
>>> 4
>>> CVE Vulnerabilities in snakeyaml-1.30.jar
>>> - link:https://issues.apache.org/jira/browse/TOMEE-4001[TOMEE-4001]
>>> CVE-2022-34305 displaying user provided data without filtering,
>>> exposing a XSS vulnerability
>>> 
>>> == Improvement
>>> 
>>> [.compact]
>>> - link:https://issues.apache.org/jira/browse/TOMEE-3878[TOMEE-3878]
>>> Backport 'No interface view EJB proxies broken on JDK16+' [TOMEE-
>>> 3877] to TomEE 8.x
>>> 
>>> == Task
>>> 
>>> [.compact]
>>> - link:https://issues.apache.org/jira/browse/TOMEE-4064[TOMEE-4064]
>>> OpenJPA 3.2.2 (examples), EclipseLink 2.7.11 (examples), Derby
>>> 10.14.2.0
>>> - link:https://issues.apache.org/jira/browse/TOMEE-4022[TOMEE-4022]
>>> Move to Apache Rat
>>> - link:https://issues.apache.org/jira/browse/TOMEE-4056[TOMEE-4056]
>>> Log4J2 2.19.0
>>> - link:https://issues.apache.org/jira/browse/TOMEE-4058[TOMEE-4058]
>>> Update Krazo, DeltaSpike and Hibernate
>>> - link:https://issues.apache.org/jira/browse/TOMEE-3914[TOMEE-3914]
>>> Spring 3 Dependencies in TomEE Root POM
>>> - link:https://issues.apache.org/jira/browse/TOMEE-4088[TOMEE-4088]
>>> Add workaround for CVE-2022-41853 (hsqldb)
>>> 
>>> == Documentation
>>> 
>>> [.compact]
>>> - link:https://issues.apache.org/jira/browse/TOMEE-4023[TOMEE-4023]
>>> Comparison pages with wrong specs per profiles
>>> - link:https://issues.apache.org/jira/browse/TOMEE-3981[TOMEE-3981]
>>> update javadoc to reflect updates on Jakarta EE
>>> 
>>> == Fixed Common Vulnerabilities and Exposures (CVEs)
>>> 
>>> [.compact]
>>> - link:https://issues.apache.org/jira/browse/TOMEE-4041[TOMEE-4041]
>>> 4
>>> CVE Vulnerabilities in snakeyaml-1.30.jar
>>> - link:https://issues.apache.org/jira/browse/TOMEE-4001[TOMEE-4001]
>>> CVE-2022-34305 displaying user provided data without filtering,
>>> exposing a XSS vulnerability
>>> - link:https://issues.apache.org/jira/browse/TOMEE-4088[TOMEE-4088]
>>> Add workaround for CVE-2022-41853 (hsqldb)
>>> 
>>> ###############
>>> 
>>> Here is the dependency diff from 8.0.12 to 8.0.13 created with
>>> David's
>>> new feature in our release tools:
>>> 
>>>          artifactId               from            to
>>> ------------------------------- ---------- -------------------
>>> jackson-annotations               2.13.2   2.14.0-rc1
>>> jackson-core                      2.13.2   2.14.0-rc1
>>> jackson-databind                2.13.2.2   2.14.0-rc1
>>> jackson-dataformat-yaml           2.13.2   2.14.0-rc1
>>> commons-cli                          1.4   1.5.0
>>> batchee-jbatch                     1.0.1   1.0.2
>>> commons-dbcp2                      2.3.0   2.9.0
>>> cxf-rt-bindings-soap               3.4.5   3.4.8
>>> cxf-rt-bindings-xml                3.4.5   3.4.8
>>> cxf-rt-frontend-jaxws              3.4.5   3.4.8
>>> cxf-rt-frontend-simple             3.4.5   3.4.8
>>> cxf-rt-management                  3.4.5   3.4.8
>>> cxf-rt-rs-extension-providers      3.4.5   3.4.8
>>> cxf-rt-rs-extension-search         3.4.5   3.4.8
>>> cxf-rt-rs-json-basic               3.4.5   3.4.8
>>> cxf-rt-rs-mp-client                3.4.5   3.4.8
>>> cxf-rt-rs-security-cors            3.4.5   3.4.8
>>> cxf-rt-rs-security-jose            3.4.5   3.4.8
>>> cxf-rt-rs-security-jose-jaxrs      3.4.5   3.4.8
>>> cxf-rt-rs-security-oauth2          3.4.5   3.4.8
>>> cxf-rt-rs-service-description      3.4.5   3.4.8
>>> cxf-rt-rs-sse                      3.4.5   3.4.8
>>> cxf-rt-security                    3.4.5   3.4.8
>>> cxf-rt-security-saml               3.4.5   3.4.8
>>> cxf-rt-ws-addr                     3.4.5   3.4.8
>>> cxf-rt-ws-policy                   3.4.5   3.4.8
>>> cxf-rt-ws-security                 3.4.5   3.4.8
>>> cxf-rt-wsdl                        3.4.5   3.4.8
>>> geronimo-connector                 3.1.4   3.1.5
>>> geronimo-transaction               3.1.4   3.1.5
>>> johnzon-core                      1.2.18   1.2.19
>>> johnzon-jaxrs                     1.2.18   1.2.19
>>> johnzon-jsonb                     1.2.18   1.2.19
>>> johnzon-jsonp-strict              1.2.18   1.2.19
>>> johnzon-mapper                    1.2.18   1.2.19
>>> myfaces-api                        2.3.9   2.3.10
>>> myfaces-impl                       2.3.9   2.3.10
>>> cxf-shade                         8.0.12   8.0.13
>>> taglibs-shade                     8.0.12   8.0.13
>>> tomee-bootstrap                   8.0.12   8.0.13
>>> bcprov-jdk15on                      1.69   1.70
>>> eclipselink                        2.7.9   2.7.11
>>> jakarta.faces                     2.3.15   2.3.18
>>> hsqldb                             2.5.2   2.7.0
>>> snakeyaml                           1.30   1.33
>>> 
>>> ###############
>>> 
>>> Please note:
>>> 
>>> (1) CVE-2022-42003 (jackson-databind): Users are only affected, if
>>> 'UNWRAP_SINGLE_VALUE_ARRAYS' is set to enabled. Mitigation is
>>> included
>>> in 2.14.0-rc1 - as discussed in a separate thread, we are "ok" to
>>> ship
>>> a RC version. We aim to do a follow up release of TomEE 8.x soon.
>>> 
>>> (2) CVE-2022-41853 (hsqldb): As v2.7.1 isn't available yet, TomEE
>>> sets
>>> "hsqldb.method_class_names" to an invalid value to mitigate the
>>> vulnerability. Users can override the property as needed.
>>> 
>>> ###############
>>> 
>>> 
>>> Please VOTE
>>> 
>>> [+1] go ship it
>>> [+0] meh, don't care
>>> [-1] stop, there is a ${showstopper}
>>> 
>>> The VOTE is open for 72h or as long as needed.
>>> 
>>> Gruß
>>> Richard
>>> 
>>> 
>>> 
>>> 
>>> 
>>> 
>> 
>>

smime.p7s
Description: S/MIME cryptographic signature

Re: [VOTE] Apache TomEE 8.0.13 - First Attempt

Reply via email to