Thanks Richard for this clarification (hope it's available in TomE Security page to avoid people asking the same question)
=> When can TomEE 8.0.14 vote start ? Alex Le mer. 11 janv. 2023 à 15:11, Richard Zowalla <r...@apache.org> a écrit : > > Hi Alex, > > thanks for the reply. > > There is an issue regarding CVE-2022-1471 (snakeyaml) [1]. Snakeyaml is > a transient dependency of jackson-dataformat-yaml (which is used in > OpenAPI). According to the Jackson people [2], they are not affected > [2]. > > Therefore, I don't think, that we are impacted. > > Gruß > Richard > > > [1] https://issues.apache.org/jira/projects/TOMEE/issues/TOMEE-4169 > [2] https://github.com/FasterXML/jackson-dataformats-text/issues/361 > > > Am Mittwoch, dem 11.01.2023 um 14:32 +0100 schrieb Alex The Rocker: > > Hello Richard, > > > > I give a big +1 for having a 8.0.14 release ASAP. > > > > I have nothing to ask in into beyond the (many) CVE fixes done so > > far, > > except maybe if it could be checked if TomEE+ usage of snakeyaml > > (which is part of TomEE+ libraries) systematically relies on > > SnakeYaml's SafeConstructor, so as to avoid recent CVEs on > > SnakeYaml... > > > > Thanks, > > Alex > > > > Le mer. 11 janv. 2023 à 09:17, Richard Zowalla <r...@apache.org> a > > écrit : > > > Hi all, > > > > > > I would like to bring up 8.0.14 for a VOTE next week. > > > > > > Is there anything (dep updates, etc.) we need to include before > > > proceding with the preparations? > > > > > > Current changes: > > > https://issues.apache.org/jira/projects/TOMEE/versions/12352390 > > > > > > CXF 3.4.10 will be the last release of the 3.4.x series, so we > > > likely > > > need to upgrade to 3.5.x but I don't think, that we should include > > > that > > > for 8.0.14 yet. > > > > > > Nightlies can be found here: > > > https://repository.apache.org/content/groups/snapshots/org/apache/tomee/apache-tomee/8.0.14-SNAPSHOT/ > > > > > > Gruß > > > Richard > > > > > > > > > > > > Am Donnerstag, dem 22.12.2022 um 15:18 +0100 schrieb Thomas > > > Andraschko: > > > > also created 2 issues for further dependency upgrades: > > > > https://issues.apache.org/jira/browse/TOMEE-4130 > > > > https://issues.apache.org/jira/browse/TOMEE-4129 > > > > > > > > is there a reason we dont have the github dependabot on master > > > > and > > > > 8.0x? > > > > > > > > Am Do., 22. Dez. 2022 um 15:07 Uhr schrieb Thomas Andraschko < > > > > andraschko.tho...@gmail.com>: > > > > > > > > > +1 for this as it will fix the new CXF CVE > > > > > > > > > > Am Mi., 21. Dez. 2022 um 11:03 Uhr schrieb Richard Zowalla < > > > > > r...@apache.org>: > > > > > > > > > > > To follow up on that: > > > > > > > > > > > > I had a quick conversation with Jon about that topic. > > > > > > We need to fix TOMEE-4014 (regarding the keep.version > > > > > > property, > > > > > > see > > > > > > [1]) before we can bring up a release vote. > > > > > > > > > > > > However, effort / focus is currently on getting 9.0 Final out > > > > > > of > > > > > > the > > > > > > door and fixing / work on the remaining 2 TCK failures. If we > > > > > > have it > > > > > > up for vote, we can (most certainly) bring up a 8.0.14 for > > > > > > vote. > > > > > > > > > > > > Gruß > > > > > > Richard > > > > > > > > > > > > [1] https://github.com/apache/tomee/pull/993 > > > > > > > > > > > > Am Dienstag, dem 06.12.2022 um 16:35 +0000 schrieb Wiesner, > > > > > > Martin: > > > > > > > My vote: > > > > > > > +1 > > > > > > > > > > > > > > -- > > > > > > > Best > > > > > > > Martin > > > > > > > > > > > > > > > Am 06.12.2022 um 16:25 schrieb Jean-Louis Monteiro < > > > > > > > > jlmonte...@tomitribe.com>: > > > > > > > > > > > > > > > > I'm not -1 > > > > > > > > > > > > > > > > But I'd definitely favor working on getting 9.0.0 final > > > > > > > > so we > > > > > > > > can > > > > > > > > switch to > > > > > > > > Jakarta EE 10 and MicroProfile 6.0 > > > > > > > > > > > > > > > > My vote: 0 > > > > > > > > > > > > > > > > Le mar. 6 déc. 2022, 16:11, Swell < > > > > > > > > souheil.sul...@gmail.com> > > > > > > > > a > > > > > > > > écrit : > > > > > > > > > > > > > > > > > +1, we did not yet ship the fixes for the CVE, good to > > > > > > > > > have > > > > > > > > > them > > > > > > > > > shipped > > > > > > > > > > > > > > > > > > > > > > > > > > > On Tue, 6 Dec 2022 at 15:47, Richard Zowalla < > > > > > > > > > r...@apache.org> > > > > > > > > > wrote: > > > > > > > > > > > > > > > > > > > Hi all, > > > > > > > > > > > > > > > > > > > > We have some dependency updates (tomcat, cxf, hsqldb) > > > > > > > > > > and > > > > > > > > > > some > > > > > > > > > > CVE > > > > > > > > > > related fixes (woodstox, shaded bcel, ...). > > > > > > > > > > > > > > > > > > > > I was thinking about having 8.0.14 before we all get > > > > > > > > > > too > > > > > > > > > > stressed with > > > > > > > > > > christmas, etc. and no one has time to review / test > > > > > > > > > > a > > > > > > > > > > 8.0.14 > > > > > > > > > > RC. > > > > > > > > > > > > > > > > > > > > So my questions are: > > > > > > > > > > > > > > > > > > > > - What is the community's opionion regarding a 8.0.14 > > > > > > > > > > before > > > > > > > > > > christmas? > > > > > > > > > > - Are we missing any important version upgrades? Any > > > > > > > > > > show > > > > > > > > > > stoppers? > > > > > > > > > > > > > > > > > > > > Here are the current changes in Jira > > > > > > > > > > > > > > > > > > > > https://issues.apache.org/jira/projects/TOMEE/versions/12352390 > > > > > > > > > > > > > > > > > > > > and here is a list in plain text without the need to > > > > > > > > > > login: > > > > > > > > > > > > > > > > > > > > == Dependency upgrade > > > > > > > > > > > > > > > > > > > > [.compact] > > > > > > > > > > - link: > > > > > > > > > > https://issues.apache.org/jira/browse/TOMEE-4100[TOMEE-4100] > > > > > > > > > > X > > > > > > > > > > Bean 4.22 > > > > > > > > > > - link: > > > > > > > > > > https://issues.apache.org/jira/browse/TOMEE-4118[TOMEE-4118] > > > > > > > > > > CXF 3.4.9 > > > > > > > > > > - link: > > > > > > > > > > https://issues.apache.org/jira/browse/TOMEE-4086[TOMEE-4086] > > > > > > > > > > HSQLDB 2.7.1 > > > > > > > > > > - link: > > > > > > > > > > https://issues.apache.org/jira/browse/TOMEE-4107[TOMEE-4107] > > > > > > > > > > Jackson 2.14.0 > > > > > > > > > > - link: > > > > > > > > > > https://issues.apache.org/jira/browse/TOMEE-4116[TOMEE-4116] > > > > > > > > > > Tomcat 9.0.69 > > > > > > > > > > - link: > > > > > > > > > > https://issues.apache.org/jira/browse/TOMEE-4121[TOMEE-4121] > > > > > > > > > > Tomcat 9.0.70 > > > > > > > > > > - link: > > > > > > > > > > https://issues.apache.org/jira/browse/TOMEE-4109[TOMEE-4109] > > > > > > > > > > Velocity 2.3 > > > > > > > > > > - link: > > > > > > > > > > https://issues.apache.org/jira/browse/TOMEE-4110[TOMEE-4110] > > > > > > > > > > Woodstox 6.4.0 (CVE-2022-40152) > > > > > > > > > > - link: > > > > > > > > > > https://issues.apache.org/jira/browse/TOMEE-4111[TOMEE-4111] > > > > > > > > > > bcel component > > > > > > > > > > - link: > > > > > > > > > > https://issues.apache.org/jira/browse/TOMEE-4094[TOMEE-4094] > > > > > > > > > > jackson 2.14.0-rc2 > > > > > > > > > > - link: > > > > > > > > > > https://issues.apache.org/jira/browse/TOMEE-4103[TOMEE-4103] > > > > > > > > > > woodstox-core > > > > > > > > > > < > > > > > > https://issues.apache.org/jira/browse/TOMEE-4103%5BTOMEE-4103%5Dwoodstox-core > > > > > > > > > > mitigate CVE-2022-40153 > > > > > > > > > > > > > > > > > > > > == Bug > > > > > > > > > > > > > > > > > > > > [.compact] > > > > > > > > > > - link: > > > > > > > > > > https://issues.apache.org/jira/browse/TOMEE-4122[TOMEE-4122] > > > > > > > > > > Performance Regression in bean resolution in EAR > > > > > > > > > > files > > > > > > > > > > - link: > > > > > > > > > > https://issues.apache.org/jira/browse/TOMEE-4101[TOMEE-4101] > > > > > > > > > > Typo with EL22Adaptor implementation in > > > > > > > > > > openwebbeans.properties > > > > > > > > > > - link: > > > > > > > > > > https://issues.apache.org/jira/browse/TOMEE-4102[TOMEE-4102] > > > > > > > > > > TomEE logs SEVERE: Expected ContextBinding to have > > > > > > > > > > the > > > > > > > > > > method > > > > > > > > > > getThreadName() > > > > > > > > > > - link: > > > > > > > > > > https://issues.apache.org/jira/browse/TOMEE-4014[TOMEE-4014] > > > > > > > > > > Unable to see TomEE version in Tomcat home page with > > > > > > > > > > Java > > > > > > > > > > 17 > > > > > > > > > > - link: > > > > > > > > > > https://issues.apache.org/jira/browse/TOMEE-4106[TOMEE-4106] > > > > > > > > > > TomEE version no longer appearing at default manager > > > > > > > > > > page > > > > > > > > > > > > > > > > > > > > == Documentation > > > > > > > > > > > > > > > > > > > > [.compact] > > > > > > > > > > - link: > > > > > > > > > > https://issues.apache.org/jira/browse/TOMEE-4104[TOMEE-4104] > > > > > > > > > > Documentation Website: XA DataSource Configuration: > > > > > > > > > > Bug > > > > > > > > > > in > > > > > > > > > > MySQL Sample > > > > > > > > > > Code > > > > > > > > > > > > > > > > > > > > == Fixed Common Vulnerabilities and Exposures (CVEs) > > > > > > > > > > > > > > > > > > > > [.compact] > > > > > > > > > > - link: > > > > > > > > > > https://issues.apache.org/jira/browse/TOMEE-4086[TOMEE-4086] > > > > > > > > > > HSQLDB 2.7.1 > > > > > > > > > > - link: > > > > > > > > > > https://issues.apache.org/jira/browse/TOMEE-4111[TOMEE-4111] > > > > > > > > > > Upgrade bcel component in TomEE > > > > > > > > > > - link: > > > > > > > > > > https://issues.apache.org/jira/browse/TOMEE-4103[TOMEE-4103] > > > > > > > > > > Update woodstox-core to mitigate CVE-2022-40153 > > > > > > > > > > > > > > > > > > > > Gruß > > > > > > > > > > Richard > > > > > > > > > > > > > > > > > > > > >
