Re: [VOTE] Apache TomEE 8.0.13 - First Attempt

Alex The Rocker Mon, 17 Oct 2022 23:37:11 -0700

Hi here, the vote for TomEE 8.0.13 launched 1 week ago was supposed to
hold for 72 hours...
Is it still valid or will a new release candidate show up ?


Alex

Le dim. 16 oct. 2022 à 08:33, Wiesner, Martin
<martin.wies...@hs-heilbronn.de> a écrit :
>
> Hi all,
>
> +1 (non-binding)
>
> Tested with several projects (primarily web services, JSF…),
> both on Linux & Mac OS, each under OpenJDK 17 (latest).
>
> Best
> Martin
> —
> https://twitter.com/mawiesne
>
>
> Am 15.10.2022 um 19:41 schrieb Daniel Dias Dos Santos 
> <daniel.dias.analist...@gmail.com>:
>
> Hello,
>
> +1
>
> On Sat, Oct 15, 2022, 14:39 Richard Zowalla <r...@apache.org> wrote:
>
> Any more votes?
>
> Am Dienstag, dem 11.10.2022 um 19:59 +0200 schrieb Richard Zowalla:
>
> Hi all,
>
> this is a first attempt at a vote for a release of Apache TomEE
> 8.0.13.
>
> It is a maintenance release with some bug fixes and dependencies
> upgrades.
>
> ###############
>
> Maven Repo:
> https://repository.apache.org/content/repositories/orgapachetomee-1207
>
>  <repositories>
>    <repository>
>      <id>tomee-8.0.13-release-test</id>
>      <name>Testing TomEE 8.0.13 release candidate</name>
> <url>
> https://repository.apache.org/content/repositories/orgapachetomee-1207
> </url>
>    </repository>
>  </repositories>
>
> ###############
>
> Binaries & Source:
>
> https://dist.apache.org/repos/dist/dev/tomee/staging-1207/tomee-8.0.13/
>
> ###############
>
> Tag:
>
> https://github.com/apache/tomee/releases/tag/tomee-project-8.0.13
>
> ###############
>
> Latest CI/CD build:
>
> https://ci-builds.apache.org/job/Tomee/job/tomee-8.x-build-full/226/
>
> ###############
>
> Release notes:
>
>
> https://issues.apache.org/jira/secure/ReleaseNote.jspa?projectId=12312320&version=12351820
>
>
> ###############
>
> Here is an adoc generated version of the changelog as well:
>
> == Dependency upgrade
>
> [.compact]
> - link:https://issues.apache.org/jira/browse/TOMEE-3985[TOMEE-3985]
> BatchEE 1.0.2
> - link:https://issues.apache.org/jira/browse/TOMEE-4057[TOMEE-4057]
> CXF 3.4.8
> - link:https://issues.apache.org/jira/browse/TOMEE-3800[TOMEE-3800]
> DBCP 2.9.0
> - link:https://issues.apache.org/jira/browse/TOMEE-4059[TOMEE-4059]
> EclipseLink 2.7.11
> - link:https://issues.apache.org/jira/browse/TOMEE-4063[TOMEE-4063]
> Geronimo Transaction Manager 3.1.5
> - link:https://issues.apache.org/jira/browse/TOMEE-4019[TOMEE-4019]
> HSQLDB 2.7.0
> - link:https://issues.apache.org/jira/browse/TOMEE-3986[TOMEE-3986]
> Hibernate Integration 5.6.9.Final
> - link:https://issues.apache.org/jira/browse/TOMEE-4042[TOMEE-4042]
> Jackson 2.13.4
> - link:https://issues.apache.org/jira/browse/TOMEE-4067[TOMEE-4067]
> Jackson 2.14.0-rc1
> - link:https://issues.apache.org/jira/browse/TOMEE-4020[TOMEE-4020]
> Jakarta Faces 2.3.18
> - link:https://issues.apache.org/jira/browse/TOMEE-4026[TOMEE-4026]
> Johnzon 1.2.19
> - link:https://issues.apache.org/jira/browse/TOMEE-4030[TOMEE-4030]
> Log4J2 2.18.0
> - link:https://issues.apache.org/jira/browse/TOMEE-3998[TOMEE-3998]
> MyFaces 2.3.10
> - link:https://issues.apache.org/jira/browse/TOMEE-4044[TOMEE-4044]
> Snakeyaml 1.32
> - link:https://issues.apache.org/jira/browse/TOMEE-4054[TOMEE-4054]
> Snakeyaml 1.33
> - link:https://issues.apache.org/jira/browse/TOMEE-4002[TOMEE-4002]
> Tomcat 9.0.64
> - link:https://issues.apache.org/jira/browse/TOMEE-4051[TOMEE-4051]
> Tomcat 9.0.65
> - link:https://issues.apache.org/jira/browse/TOMEE-4060[TOMEE-4060]
> Tomcat 9.0.67
> - link:https://issues.apache.org/jira/browse/TOMEE-4087[TOMEE-4087]
> Tomcat 9.0.68
> - link:https://issues.apache.org/jira/browse/TOMEE-4018[TOMEE-4018]
> bcprov-jdk15on 1.70
>
> == New Feature
>
> [.compact]
> - link:https://issues.apache.org/jira/browse/TOMEE-3928[TOMEE-3928]
> Example for properties provider
>
> == Bug
>
> [.compact]
> - link:https://issues.apache.org/jira/browse/TOMEE-4021[TOMEE-4021]
> Unexpected ehcache 3.8.1 in tomee/lib
> - link:https://issues.apache.org/jira/browse/TOMEE-3850[TOMEE-3850]
> HTTP(S) connections are not reused
> - link:https://issues.apache.org/jira/browse/TOMEE-4014[TOMEE-4014]
> Unable to see TomEE version in Tomcat home page with Java 17
> - link:https://issues.apache.org/jira/browse/TOMEE-3979[TOMEE-3979]
> service.bat issue when using JRE_HOME on Windows
> - link:https://issues.apache.org/jira/browse/TOMEE-4041[TOMEE-4041]
> 4
> CVE Vulnerabilities in snakeyaml-1.30.jar
> - link:https://issues.apache.org/jira/browse/TOMEE-4001[TOMEE-4001]
> CVE-2022-34305 displaying user provided data without filtering,
> exposing a XSS vulnerability
>
> == Improvement
>
> [.compact]
> - link:https://issues.apache.org/jira/browse/TOMEE-3878[TOMEE-3878]
> Backport 'No interface view EJB proxies broken on JDK16+' [TOMEE-
> 3877] to TomEE 8.x
>
> == Task
>
> [.compact]
> - link:https://issues.apache.org/jira/browse/TOMEE-4064[TOMEE-4064]
> OpenJPA 3.2.2 (examples), EclipseLink 2.7.11 (examples), Derby
> 10.14.2.0
> - link:https://issues.apache.org/jira/browse/TOMEE-4022[TOMEE-4022]
> Move to Apache Rat
> - link:https://issues.apache.org/jira/browse/TOMEE-4056[TOMEE-4056]
> Log4J2 2.19.0
> - link:https://issues.apache.org/jira/browse/TOMEE-4058[TOMEE-4058]
> Update Krazo, DeltaSpike and Hibernate
> - link:https://issues.apache.org/jira/browse/TOMEE-3914[TOMEE-3914]
> Spring 3 Dependencies in TomEE Root POM
> - link:https://issues.apache.org/jira/browse/TOMEE-4088[TOMEE-4088]
> Add workaround for CVE-2022-41853 (hsqldb)
>
> == Documentation
>
> [.compact]
> - link:https://issues.apache.org/jira/browse/TOMEE-4023[TOMEE-4023]
> Comparison pages with wrong specs per profiles
> - link:https://issues.apache.org/jira/browse/TOMEE-3981[TOMEE-3981]
> update javadoc to reflect updates on Jakarta EE
>
> == Fixed Common Vulnerabilities and Exposures (CVEs)
>
> [.compact]
> - link:https://issues.apache.org/jira/browse/TOMEE-4041[TOMEE-4041]
> 4
> CVE Vulnerabilities in snakeyaml-1.30.jar
> - link:https://issues.apache.org/jira/browse/TOMEE-4001[TOMEE-4001]
> CVE-2022-34305 displaying user provided data without filtering,
> exposing a XSS vulnerability
> - link:https://issues.apache.org/jira/browse/TOMEE-4088[TOMEE-4088]
> Add workaround for CVE-2022-41853 (hsqldb)
>
> ###############
>
> Here is the dependency diff from 8.0.12 to 8.0.13 created with
> David's
> new feature in our release tools:
>
>          artifactId               from            to
> ------------------------------- ---------- -------------------
> jackson-annotations               2.13.2   2.14.0-rc1
> jackson-core                      2.13.2   2.14.0-rc1
> jackson-databind                2.13.2.2   2.14.0-rc1
> jackson-dataformat-yaml           2.13.2   2.14.0-rc1
> commons-cli                          1.4   1.5.0
> batchee-jbatch                     1.0.1   1.0.2
> commons-dbcp2                      2.3.0   2.9.0
> cxf-rt-bindings-soap               3.4.5   3.4.8
> cxf-rt-bindings-xml                3.4.5   3.4.8
> cxf-rt-frontend-jaxws              3.4.5   3.4.8
> cxf-rt-frontend-simple             3.4.5   3.4.8
> cxf-rt-management                  3.4.5   3.4.8
> cxf-rt-rs-extension-providers      3.4.5   3.4.8
> cxf-rt-rs-extension-search         3.4.5   3.4.8
> cxf-rt-rs-json-basic               3.4.5   3.4.8
> cxf-rt-rs-mp-client                3.4.5   3.4.8
> cxf-rt-rs-security-cors            3.4.5   3.4.8
> cxf-rt-rs-security-jose            3.4.5   3.4.8
> cxf-rt-rs-security-jose-jaxrs      3.4.5   3.4.8
> cxf-rt-rs-security-oauth2          3.4.5   3.4.8
> cxf-rt-rs-service-description      3.4.5   3.4.8
> cxf-rt-rs-sse                      3.4.5   3.4.8
> cxf-rt-security                    3.4.5   3.4.8
> cxf-rt-security-saml               3.4.5   3.4.8
> cxf-rt-ws-addr                     3.4.5   3.4.8
> cxf-rt-ws-policy                   3.4.5   3.4.8
> cxf-rt-ws-security                 3.4.5   3.4.8
> cxf-rt-wsdl                        3.4.5   3.4.8
> geronimo-connector                 3.1.4   3.1.5
> geronimo-transaction               3.1.4   3.1.5
> johnzon-core                      1.2.18   1.2.19
> johnzon-jaxrs                     1.2.18   1.2.19
> johnzon-jsonb                     1.2.18   1.2.19
> johnzon-jsonp-strict              1.2.18   1.2.19
> johnzon-mapper                    1.2.18   1.2.19
> myfaces-api                        2.3.9   2.3.10
> myfaces-impl                       2.3.9   2.3.10
> cxf-shade                         8.0.12   8.0.13
> taglibs-shade                     8.0.12   8.0.13
> tomee-bootstrap                   8.0.12   8.0.13
> bcprov-jdk15on                      1.69   1.70
> eclipselink                        2.7.9   2.7.11
> jakarta.faces                     2.3.15   2.3.18
> hsqldb                             2.5.2   2.7.0
> snakeyaml                           1.30   1.33
>
> ###############
>
> Please note:
>
> (1) CVE-2022-42003 (jackson-databind): Users are only affected, if
> 'UNWRAP_SINGLE_VALUE_ARRAYS' is set to enabled. Mitigation is
> included
> in 2.14.0-rc1 - as discussed in a separate thread, we are "ok" to
> ship
> a RC version. We aim to do a follow up release of TomEE 8.x soon.
>
> (2) CVE-2022-41853 (hsqldb): As v2.7.1 isn't available yet, TomEE
> sets
> "hsqldb.method_class_names" to an invalid value to mitigate the
> vulnerability. Users can override the property as needed.
>
> ###############
>
>
> Please VOTE
>
> [+1] go ship it
> [+0] meh, don't care
> [-1] stop, there is a ${showstopper}
>
> The VOTE is open for 72h or as long as needed.
>
> Gruß
> Richard
>
>
>
>
>
>
>
>
>

Re: [VOTE] Apache TomEE 8.0.13 - First Attempt

Reply via email to