Hi here, the vote for TomEE 8.0.13 launched 1 week ago was supposed to hold for 72 hours... Is it still valid or will a new release candidate show up ?
Alex Le dim. 16 oct. 2022 à 08:33, Wiesner, Martin <martin.wies...@hs-heilbronn.de> a écrit : > > Hi all, > > +1 (non-binding) > > Tested with several projects (primarily web services, JSF…), > both on Linux & Mac OS, each under OpenJDK 17 (latest). > > Best > Martin > — > https://twitter.com/mawiesne > > > Am 15.10.2022 um 19:41 schrieb Daniel Dias Dos Santos > <daniel.dias.analist...@gmail.com>: > > Hello, > > +1 > > On Sat, Oct 15, 2022, 14:39 Richard Zowalla <r...@apache.org> wrote: > > Any more votes? > > Am Dienstag, dem 11.10.2022 um 19:59 +0200 schrieb Richard Zowalla: > > Hi all, > > this is a first attempt at a vote for a release of Apache TomEE > 8.0.13. > > It is a maintenance release with some bug fixes and dependencies > upgrades. > > ############### > > Maven Repo: > https://repository.apache.org/content/repositories/orgapachetomee-1207 > > <repositories> > <repository> > <id>tomee-8.0.13-release-test</id> > <name>Testing TomEE 8.0.13 release candidate</name> > <url> > https://repository.apache.org/content/repositories/orgapachetomee-1207 > </url> > </repository> > </repositories> > > ############### > > Binaries & Source: > > https://dist.apache.org/repos/dist/dev/tomee/staging-1207/tomee-8.0.13/ > > ############### > > Tag: > > https://github.com/apache/tomee/releases/tag/tomee-project-8.0.13 > > ############### > > Latest CI/CD build: > > https://ci-builds.apache.org/job/Tomee/job/tomee-8.x-build-full/226/ > > ############### > > Release notes: > > > https://issues.apache.org/jira/secure/ReleaseNote.jspa?projectId=12312320&version=12351820 > > > ############### > > Here is an adoc generated version of the changelog as well: > > == Dependency upgrade > > [.compact] > - link:https://issues.apache.org/jira/browse/TOMEE-3985[TOMEE-3985] > BatchEE 1.0.2 > - link:https://issues.apache.org/jira/browse/TOMEE-4057[TOMEE-4057] > CXF 3.4.8 > - link:https://issues.apache.org/jira/browse/TOMEE-3800[TOMEE-3800] > DBCP 2.9.0 > - link:https://issues.apache.org/jira/browse/TOMEE-4059[TOMEE-4059] > EclipseLink 2.7.11 > - link:https://issues.apache.org/jira/browse/TOMEE-4063[TOMEE-4063] > Geronimo Transaction Manager 3.1.5 > - link:https://issues.apache.org/jira/browse/TOMEE-4019[TOMEE-4019] > HSQLDB 2.7.0 > - link:https://issues.apache.org/jira/browse/TOMEE-3986[TOMEE-3986] > Hibernate Integration 5.6.9.Final > - link:https://issues.apache.org/jira/browse/TOMEE-4042[TOMEE-4042] > Jackson 2.13.4 > - link:https://issues.apache.org/jira/browse/TOMEE-4067[TOMEE-4067] > Jackson 2.14.0-rc1 > - link:https://issues.apache.org/jira/browse/TOMEE-4020[TOMEE-4020] > Jakarta Faces 2.3.18 > - link:https://issues.apache.org/jira/browse/TOMEE-4026[TOMEE-4026] > Johnzon 1.2.19 > - link:https://issues.apache.org/jira/browse/TOMEE-4030[TOMEE-4030] > Log4J2 2.18.0 > - link:https://issues.apache.org/jira/browse/TOMEE-3998[TOMEE-3998] > MyFaces 2.3.10 > - link:https://issues.apache.org/jira/browse/TOMEE-4044[TOMEE-4044] > Snakeyaml 1.32 > - link:https://issues.apache.org/jira/browse/TOMEE-4054[TOMEE-4054] > Snakeyaml 1.33 > - link:https://issues.apache.org/jira/browse/TOMEE-4002[TOMEE-4002] > Tomcat 9.0.64 > - link:https://issues.apache.org/jira/browse/TOMEE-4051[TOMEE-4051] > Tomcat 9.0.65 > - link:https://issues.apache.org/jira/browse/TOMEE-4060[TOMEE-4060] > Tomcat 9.0.67 > - link:https://issues.apache.org/jira/browse/TOMEE-4087[TOMEE-4087] > Tomcat 9.0.68 > - link:https://issues.apache.org/jira/browse/TOMEE-4018[TOMEE-4018] > bcprov-jdk15on 1.70 > > == New Feature > > [.compact] > - link:https://issues.apache.org/jira/browse/TOMEE-3928[TOMEE-3928] > Example for properties provider > > == Bug > > [.compact] > - link:https://issues.apache.org/jira/browse/TOMEE-4021[TOMEE-4021] > Unexpected ehcache 3.8.1 in tomee/lib > - link:https://issues.apache.org/jira/browse/TOMEE-3850[TOMEE-3850] > HTTP(S) connections are not reused > - link:https://issues.apache.org/jira/browse/TOMEE-4014[TOMEE-4014] > Unable to see TomEE version in Tomcat home page with Java 17 > - link:https://issues.apache.org/jira/browse/TOMEE-3979[TOMEE-3979] > service.bat issue when using JRE_HOME on Windows > - link:https://issues.apache.org/jira/browse/TOMEE-4041[TOMEE-4041] > 4 > CVE Vulnerabilities in snakeyaml-1.30.jar > - link:https://issues.apache.org/jira/browse/TOMEE-4001[TOMEE-4001] > CVE-2022-34305 displaying user provided data without filtering, > exposing a XSS vulnerability > > == Improvement > > [.compact] > - link:https://issues.apache.org/jira/browse/TOMEE-3878[TOMEE-3878] > Backport 'No interface view EJB proxies broken on JDK16+' [TOMEE- > 3877] to TomEE 8.x > > == Task > > [.compact] > - link:https://issues.apache.org/jira/browse/TOMEE-4064[TOMEE-4064] > OpenJPA 3.2.2 (examples), EclipseLink 2.7.11 (examples), Derby > 10.14.2.0 > - link:https://issues.apache.org/jira/browse/TOMEE-4022[TOMEE-4022] > Move to Apache Rat > - link:https://issues.apache.org/jira/browse/TOMEE-4056[TOMEE-4056] > Log4J2 2.19.0 > - link:https://issues.apache.org/jira/browse/TOMEE-4058[TOMEE-4058] > Update Krazo, DeltaSpike and Hibernate > - link:https://issues.apache.org/jira/browse/TOMEE-3914[TOMEE-3914] > Spring 3 Dependencies in TomEE Root POM > - link:https://issues.apache.org/jira/browse/TOMEE-4088[TOMEE-4088] > Add workaround for CVE-2022-41853 (hsqldb) > > == Documentation > > [.compact] > - link:https://issues.apache.org/jira/browse/TOMEE-4023[TOMEE-4023] > Comparison pages with wrong specs per profiles > - link:https://issues.apache.org/jira/browse/TOMEE-3981[TOMEE-3981] > update javadoc to reflect updates on Jakarta EE > > == Fixed Common Vulnerabilities and Exposures (CVEs) > > [.compact] > - link:https://issues.apache.org/jira/browse/TOMEE-4041[TOMEE-4041] > 4 > CVE Vulnerabilities in snakeyaml-1.30.jar > - link:https://issues.apache.org/jira/browse/TOMEE-4001[TOMEE-4001] > CVE-2022-34305 displaying user provided data without filtering, > exposing a XSS vulnerability > - link:https://issues.apache.org/jira/browse/TOMEE-4088[TOMEE-4088] > Add workaround for CVE-2022-41853 (hsqldb) > > ############### > > Here is the dependency diff from 8.0.12 to 8.0.13 created with > David's > new feature in our release tools: > > artifactId from to > ------------------------------- ---------- ------------------- > jackson-annotations 2.13.2 2.14.0-rc1 > jackson-core 2.13.2 2.14.0-rc1 > jackson-databind 2.13.2.2 2.14.0-rc1 > jackson-dataformat-yaml 2.13.2 2.14.0-rc1 > commons-cli 1.4 1.5.0 > batchee-jbatch 1.0.1 1.0.2 > commons-dbcp2 2.3.0 2.9.0 > cxf-rt-bindings-soap 3.4.5 3.4.8 > cxf-rt-bindings-xml 3.4.5 3.4.8 > cxf-rt-frontend-jaxws 3.4.5 3.4.8 > cxf-rt-frontend-simple 3.4.5 3.4.8 > cxf-rt-management 3.4.5 3.4.8 > cxf-rt-rs-extension-providers 3.4.5 3.4.8 > cxf-rt-rs-extension-search 3.4.5 3.4.8 > cxf-rt-rs-json-basic 3.4.5 3.4.8 > cxf-rt-rs-mp-client 3.4.5 3.4.8 > cxf-rt-rs-security-cors 3.4.5 3.4.8 > cxf-rt-rs-security-jose 3.4.5 3.4.8 > cxf-rt-rs-security-jose-jaxrs 3.4.5 3.4.8 > cxf-rt-rs-security-oauth2 3.4.5 3.4.8 > cxf-rt-rs-service-description 3.4.5 3.4.8 > cxf-rt-rs-sse 3.4.5 3.4.8 > cxf-rt-security 3.4.5 3.4.8 > cxf-rt-security-saml 3.4.5 3.4.8 > cxf-rt-ws-addr 3.4.5 3.4.8 > cxf-rt-ws-policy 3.4.5 3.4.8 > cxf-rt-ws-security 3.4.5 3.4.8 > cxf-rt-wsdl 3.4.5 3.4.8 > geronimo-connector 3.1.4 3.1.5 > geronimo-transaction 3.1.4 3.1.5 > johnzon-core 1.2.18 1.2.19 > johnzon-jaxrs 1.2.18 1.2.19 > johnzon-jsonb 1.2.18 1.2.19 > johnzon-jsonp-strict 1.2.18 1.2.19 > johnzon-mapper 1.2.18 1.2.19 > myfaces-api 2.3.9 2.3.10 > myfaces-impl 2.3.9 2.3.10 > cxf-shade 8.0.12 8.0.13 > taglibs-shade 8.0.12 8.0.13 > tomee-bootstrap 8.0.12 8.0.13 > bcprov-jdk15on 1.69 1.70 > eclipselink 2.7.9 2.7.11 > jakarta.faces 2.3.15 2.3.18 > hsqldb 2.5.2 2.7.0 > snakeyaml 1.30 1.33 > > ############### > > Please note: > > (1) CVE-2022-42003 (jackson-databind): Users are only affected, if > 'UNWRAP_SINGLE_VALUE_ARRAYS' is set to enabled. Mitigation is > included > in 2.14.0-rc1 - as discussed in a separate thread, we are "ok" to > ship > a RC version. We aim to do a follow up release of TomEE 8.x soon. > > (2) CVE-2022-41853 (hsqldb): As v2.7.1 isn't available yet, TomEE > sets > "hsqldb.method_class_names" to an invalid value to mitigate the > vulnerability. Users can override the property as needed. > > ############### > > > Please VOTE > > [+1] go ship it > [+0] meh, don't care > [-1] stop, there is a ${showstopper} > > The VOTE is open for 72h or as long as needed. > > Gruß > Richard > > > > > > > > >