[VOTE] TomEE 8.0.14

Tue, 17 Jan 2023 05:40:18 -0800 

Hi all,

this is a vote for a release of Apache TomEE 8.0.14.

It is a maintenance release with some bug fixes and dependencies
upgrades.

###############

Maven Repo:
https://repository.apache.org/content/repositories/orgapachetomee-1213/

<repositories>
<repository>
<id>tomee-8.0.14-release-test</id>
<name>Testing TomEE 8.0.14 release candidate</name>
<url>
https://repository.apache.org/content/repositories/orgapachetomee-1213/
</url>
</repository>
</repositories>

###############

Binaries & Source:

https://dist.apache.org/repos/dist/dev/tomee/staging-1213/tomee-8.0.14/

###############

Tag:

https://github.com/apache/tomee/releases/tag/tomee-project-8.0.14


###############

Release notes:

https://issues.apache.org/jira/projects/TOMEE/versions/12352390

###############

Here is an adoc generated version of the changelog as well:

== Dependency upgrade

[.compact]
 - link:https://issues.apache.org/jira/browse/TOMEE-4100[TOMEE-4100]
XBean 4.22
 - link:https://issues.apache.org/jira/browse/TOMEE-4126[TOMEE-4126]
CXF 3.4.10
 - link:https://issues.apache.org/jira/browse/TOMEE-4118[TOMEE-4118]
CXF 3.4.9
 - link:https://issues.apache.org/jira/browse/TOMEE-4125[TOMEE-4125]
CXF versions mitigate CVE-2022-46364 and CVE-2022-46363 
 - link:https://issues.apache.org/jira/browse/TOMEE-4086[TOMEE-4086]
HSQLDB 2.7.1
 - link:https://issues.apache.org/jira/browse/TOMEE-4170[TOMEE-4170]
Hibernate 5.6.14
 - link:https://issues.apache.org/jira/browse/TOMEE-4107[TOMEE-4107]
Jackson 2.14.0
 - link:https://issues.apache.org/jira/browse/TOMEE-4129[TOMEE-4129]
Jackson 2.14.1
 - link:https://issues.apache.org/jira/browse/TOMEE-4169[TOMEE-4169]
SnakeYAML - CVE-2022-1471
 - link:https://issues.apache.org/jira/browse/TOMEE-4116[TOMEE-4116]
Tomcat 9.0.69
 - link:https://issues.apache.org/jira/browse/TOMEE-4121[TOMEE-4121]
Tomcat 9.0.70
 - link:https://issues.apache.org/jira/browse/TOMEE-4173[TOMEE-4173]
Tomcat 9.0.71
 - link:https://issues.apache.org/jira/browse/TOMEE-4109[TOMEE-4109]
Velocity 2.3
 - link:https://issues.apache.org/jira/browse/TOMEE-4110[TOMEE-4110]
Woodstox 6.4.0 (CVE-2022-40152)
 - link:https://issues.apache.org/jira/browse/TOMEE-4111[TOMEE-4111]
bcel component
 - link:https://issues.apache.org/jira/browse/TOMEE-4130[TOMEE-4130]
commons-compress 1.22
 - link:https://issues.apache.org/jira/browse/TOMEE-4094[TOMEE-4094]
jackson 2.14.0-rc2
 - link:https://issues.apache.org/jira/browse/TOMEE-4103[TOMEE-4103]
woodstox-core mitigate CVE-2022-40153

== Bug

[.compact]
 - link:https://issues.apache.org/jira/browse/TOMEE-4120[TOMEE-4120]
Remote EJB2 BMP Memory Leak
 - link:https://issues.apache.org/jira/browse/TOMEE-4122[TOMEE-4122]
Performance Regression in bean resolution in EAR files
 - link:https://issues.apache.org/jira/browse/TOMEE-4101[TOMEE-4101]
Typo with EL22Adaptor implementation in openwebbeans.properties 
 - link:https://issues.apache.org/jira/browse/TOMEE-4102[TOMEE-4102]
TomEE logs SEVERE: Expected ContextBinding to have the method getThreadName()
 - link:https://issues.apache.org/jira/browse/TOMEE-4106[TOMEE-4106]
TomEE version no longer appearing at default manager page
 - link:https://issues.apache.org/jira/browse/TOMEE-4014[TOMEE-4014]
Unable to see TomEE version in Tomcat home page with Java 17
 - link:https://issues.apache.org/jira/browse/TOMEE-4108[TOMEE-4108]
Backport TOMEE-4065: LoginToContinue interceptor fails on custom auth mechanism
 - link:https://issues.apache.org/jira/browse/TOMEE-3779[TOMEE-3779]
tomee-embedded-maven-plugin fails with NPE
 - link:https://issues.apache.org/jira/browse/TOMEE-4176[TOMEE-4176]
CVE-2022-45143 Apache Tomcat - JsonErrorReportValve injection on TomEE's 
tomcat-websocket.jar

== Improvement

[.compact]
 - link:https://issues.apache.org/jira/browse/TOMEE-4124[TOMEE-4124]
Remove timing of timing just for logging

== Task

[.compact]
 - link:https://issues.apache.org/jira/browse/TOMEE-4171[TOMEE-4171]
Apache Parent 29
 - link:https://issues.apache.org/jira/browse/TOMEE-4172[TOMEE-4172]
JUnit 5.9.2
 - link:https://issues.apache.org/jira/browse/TOMEE-4177[TOMEE-4177]
Patch Plugin 0.10

== Documentation

[.compact]
 - link:https://issues.apache.org/jira/browse/TOMEE-4104[TOMEE-4104]
Documentation Website: XA DataSource Configuration: Bug in MySQL Sample Code

== Fixed Common Vulnerabilities and Exposures (CVEs)

[.compact]
 - link:https://issues.apache.org/jira/browse/TOMEE-4086[TOMEE-4086]
HSQLDB 2.7.1
 - link:https://issues.apache.org/jira/browse/TOMEE-4125[TOMEE-4125]
Update Apache CXF versions to mitigate CVE-2022-46364 and CVE-2022-46363 
 - link:https://issues.apache.org/jira/browse/TOMEE-4103[TOMEE-4103]
Update woodstox-core to mitigate CVE-2022-40153
 - link:https://issues.apache.org/jira/browse/TOMEE-4111[TOMEE-4111]
Upgrade bcel component in TomEE
 - link:https://issues.apache.org/jira/browse/TOMEE-4176[TOMEE-4176]
CVE-2022-45143 Apache Tomcat - JsonErrorReportValve injection on TomEE's 
tomcat-websocket.jar




###############

Here is the dependency diff from 8.0.13 to 8.0.14 created with our
release tools:

          artifactId                from        to   
------------------------------- ------------ --------
 jackson-annotations             2.14.0-rc1   2.14.1 
 jackson-core                    2.14.0-rc1   2.14.1 
 jackson-databind                2.14.0-rc1   2.14.1 
 jackson-dataformat-yaml         2.14.0-rc1   2.14.1 
 woodstox-core                   6.2.4         6.4.0 
 cxf-rt-bindings-soap            3.4.8        3.4.10 
 cxf-rt-bindings-xml             3.4.8        3.4.10 
 cxf-rt-frontend-jaxws           3.4.8        3.4.10 
 cxf-rt-frontend-simple          3.4.8        3.4.10 
 cxf-rt-management               3.4.8        3.4.10 
 cxf-rt-rs-extension-providers   3.4.8        3.4.10 
 cxf-rt-rs-extension-search      3.4.8        3.4.10 
 cxf-rt-rs-json-basic            3.4.8        3.4.10 
 cxf-rt-rs-mp-client             3.4.8        3.4.10 
 cxf-rt-rs-security-cors         3.4.8        3.4.10 
 cxf-rt-rs-security-jose         3.4.8        3.4.10 
 cxf-rt-rs-security-jose-jaxrs   3.4.8        3.4.10 
 cxf-rt-rs-security-oauth2       3.4.8        3.4.10 
 cxf-rt-rs-service-description   3.4.8        3.4.10 
 cxf-rt-rs-sse                   3.4.8        3.4.10 
 cxf-rt-security                 3.4.8        3.4.10 
 cxf-rt-security-saml            3.4.8        3.4.10 
 cxf-rt-ws-addr                  3.4.8        3.4.10 
 cxf-rt-ws-policy                3.4.8        3.4.10 
 cxf-rt-ws-security              3.4.8        3.4.10 
 cxf-rt-wsdl                     3.4.8        3.4.10 
 cxf-shade                       8.0.13       8.0.14 
 taglibs-shade                   8.0.13       8.0.14 
 tomee-bootstrap                 8.0.13       8.0.14 
 xbean-asm9-shaded               4.21           4.22 
 xbean-bundleutils               4.21           4.22 
 xbean-finder-shaded             4.21           4.22 
 xbean-naming                    4.21           4.22 
 xbean-reflect                   4.21           4.22

###############

Note:

(1) CVE-2022-1471 (snakeyaml): Snakeyaml is a transient dependency of
 jackson-dataformat-yaml (which is used in OpenAPI). 
 According to the Jackson people, they are not affected: 
https://github.com/FasterXML/jackson-dataformats-text/issues/361

###############


Please VOTE

[+1] go ship it
[+0] meh, don't care
[-1] stop, there is a ${showstopper}

The VOTE is open for 72h or as long as needed.

Gruß
Richard

Reply via email to