Hello, +1
Thanks On Tue, Jan 17, 2023, 10:40 Richard Zowalla <[email protected]> wrote: > Hi all, > > this is a vote for a release of Apache TomEE 8.0.14. > > It is a maintenance release with some bug fixes and dependencies > upgrades. > > ############### > > Maven Repo: > https://repository.apache.org/content/repositories/orgapachetomee-1213/ > > <repositories> > <repository> > <id>tomee-8.0.14-release-test</id> > <name>Testing TomEE 8.0.14 release candidate</name> > <url> > https://repository.apache.org/content/repositories/orgapachetomee-1213/ > </url> > </repository> > </repositories> > > ############### > > Binaries & Source: > > https://dist.apache.org/repos/dist/dev/tomee/staging-1213/tomee-8.0.14/ > > ############### > > Tag: > > https://github.com/apache/tomee/releases/tag/tomee-project-8.0.14 > > > ############### > > Release notes: > > https://issues.apache.org/jira/projects/TOMEE/versions/12352390 > > ############### > > Here is an adoc generated version of the changelog as well: > > == Dependency upgrade > > [.compact] > - link:https://issues.apache.org/jira/browse/TOMEE-4100[TOMEE-4100] > XBean 4.22 > - link:https://issues.apache.org/jira/browse/TOMEE-4126[TOMEE-4126] > CXF 3.4.10 > - link:https://issues.apache.org/jira/browse/TOMEE-4118[TOMEE-4118] > CXF 3.4.9 > - link:https://issues.apache.org/jira/browse/TOMEE-4125[TOMEE-4125] > CXF versions mitigate CVE-2022-46364 and CVE-2022-46363 > - link:https://issues.apache.org/jira/browse/TOMEE-4086[TOMEE-4086] > HSQLDB 2.7.1 > - link:https://issues.apache.org/jira/browse/TOMEE-4170[TOMEE-4170] > Hibernate 5.6.14 > - link:https://issues.apache.org/jira/browse/TOMEE-4107[TOMEE-4107] > Jackson 2.14.0 > - link:https://issues.apache.org/jira/browse/TOMEE-4129[TOMEE-4129] > Jackson 2.14.1 > - link:https://issues.apache.org/jira/browse/TOMEE-4169[TOMEE-4169] > SnakeYAML - CVE-2022-1471 > - link:https://issues.apache.org/jira/browse/TOMEE-4116[TOMEE-4116] > Tomcat 9.0.69 > - link:https://issues.apache.org/jira/browse/TOMEE-4121[TOMEE-4121] > Tomcat 9.0.70 > - link:https://issues.apache.org/jira/browse/TOMEE-4173[TOMEE-4173] > Tomcat 9.0.71 > - link:https://issues.apache.org/jira/browse/TOMEE-4109[TOMEE-4109] > Velocity 2.3 > - link:https://issues.apache.org/jira/browse/TOMEE-4110[TOMEE-4110] > Woodstox 6.4.0 (CVE-2022-40152) > - link:https://issues.apache.org/jira/browse/TOMEE-4111[TOMEE-4111] > bcel component > - link:https://issues.apache.org/jira/browse/TOMEE-4130[TOMEE-4130] > commons-compress > <https://issues.apache.org/jira/browse/TOMEE-4130%5BTOMEE-4130%5Dcommons-compress> > 1.22 > - link:https://issues.apache.org/jira/browse/TOMEE-4094[TOMEE-4094] > jackson 2.14.0-rc2 > - link:https://issues.apache.org/jira/browse/TOMEE-4103[TOMEE-4103] > woodstox-core > <https://issues.apache.org/jira/browse/TOMEE-4103%5BTOMEE-4103%5Dwoodstox-core> > mitigate CVE-2022-40153 > > == Bug > > [.compact] > - link:https://issues.apache.org/jira/browse/TOMEE-4120[TOMEE-4120] > Remote EJB2 BMP Memory Leak > - link:https://issues.apache.org/jira/browse/TOMEE-4122[TOMEE-4122] > Performance Regression in bean resolution in EAR files > - link:https://issues.apache.org/jira/browse/TOMEE-4101[TOMEE-4101] > Typo with EL22Adaptor implementation in openwebbeans.properties > - link:https://issues.apache.org/jira/browse/TOMEE-4102[TOMEE-4102] > TomEE logs SEVERE: Expected ContextBinding to have the method > getThreadName() > - link:https://issues.apache.org/jira/browse/TOMEE-4106[TOMEE-4106] > TomEE version no longer appearing at default manager page > - link:https://issues.apache.org/jira/browse/TOMEE-4014[TOMEE-4014] > Unable to see TomEE version in Tomcat home page with Java 17 > - link:https://issues.apache.org/jira/browse/TOMEE-4108[TOMEE-4108] > Backport TOMEE-4065: LoginToContinue interceptor fails on custom auth > mechanism > - link:https://issues.apache.org/jira/browse/TOMEE-3779[TOMEE-3779] > tomee-embedded-maven-plugin > <https://issues.apache.org/jira/browse/TOMEE-3779%5BTOMEE-3779%5Dtomee-embedded-maven-plugin> > fails with NPE > - link:https://issues.apache.org/jira/browse/TOMEE-4176[TOMEE-4176] > CVE-2022-45143 > <https://issues.apache.org/jira/browse/TOMEE-4176%5BTOMEE-4176%5DCVE-2022-45143> > Apache Tomcat - JsonErrorReportValve injection on TomEE's > tomcat-websocket.jar > > == Improvement > > [.compact] > - link:https://issues.apache.org/jira/browse/TOMEE-4124[TOMEE-4124] > Remove timing of timing just for logging > > == Task > > [.compact] > - link:https://issues.apache.org/jira/browse/TOMEE-4171[TOMEE-4171] > Apache Parent 29 > - link:https://issues.apache.org/jira/browse/TOMEE-4172[TOMEE-4172] > JUnit 5.9.2 > - link:https://issues.apache.org/jira/browse/TOMEE-4177[TOMEE-4177] > Patch Plugin 0.10 > > == Documentation > > [.compact] > - link:https://issues.apache.org/jira/browse/TOMEE-4104[TOMEE-4104] > Documentation Website: XA DataSource Configuration: Bug in MySQL Sample > Code > > == Fixed Common Vulnerabilities and Exposures (CVEs) > > [.compact] > - link:https://issues.apache.org/jira/browse/TOMEE-4086[TOMEE-4086] > HSQLDB 2.7.1 > - link:https://issues.apache.org/jira/browse/TOMEE-4125[TOMEE-4125] > Update Apache CXF versions to mitigate CVE-2022-46364 and CVE-2022-46363 > - link:https://issues.apache.org/jira/browse/TOMEE-4103[TOMEE-4103] > Update woodstox-core to mitigate CVE-2022-40153 > - link:https://issues.apache.org/jira/browse/TOMEE-4111[TOMEE-4111] > Upgrade bcel component in TomEE > - link:https://issues.apache.org/jira/browse/TOMEE-4176[TOMEE-4176] > CVE-2022-45143 > <https://issues.apache.org/jira/browse/TOMEE-4176%5BTOMEE-4176%5DCVE-2022-45143> > Apache Tomcat - JsonErrorReportValve injection on TomEE's > tomcat-websocket.jar > > > > > ############### > > Here is the dependency diff from 8.0.13 to 8.0.14 created with our > release tools: > > artifactId from to > ------------------------------- ------------ -------- > jackson-annotations 2.14.0-rc1 2.14.1 > jackson-core 2.14.0-rc1 2.14.1 > jackson-databind 2.14.0-rc1 2.14.1 > jackson-dataformat-yaml 2.14.0-rc1 2.14.1 > woodstox-core 6.2.4 6.4.0 > cxf-rt-bindings-soap 3.4.8 3.4.10 > cxf-rt-bindings-xml 3.4.8 3.4.10 > cxf-rt-frontend-jaxws 3.4.8 3.4.10 > cxf-rt-frontend-simple 3.4.8 3.4.10 > cxf-rt-management 3.4.8 3.4.10 > cxf-rt-rs-extension-providers 3.4.8 3.4.10 > cxf-rt-rs-extension-search 3.4.8 3.4.10 > cxf-rt-rs-json-basic 3.4.8 3.4.10 > cxf-rt-rs-mp-client 3.4.8 3.4.10 > cxf-rt-rs-security-cors 3.4.8 3.4.10 > cxf-rt-rs-security-jose 3.4.8 3.4.10 > cxf-rt-rs-security-jose-jaxrs 3.4.8 3.4.10 > cxf-rt-rs-security-oauth2 3.4.8 3.4.10 > cxf-rt-rs-service-description 3.4.8 3.4.10 > cxf-rt-rs-sse 3.4.8 3.4.10 > cxf-rt-security 3.4.8 3.4.10 > cxf-rt-security-saml 3.4.8 3.4.10 > cxf-rt-ws-addr 3.4.8 3.4.10 > cxf-rt-ws-policy 3.4.8 3.4.10 > cxf-rt-ws-security 3.4.8 3.4.10 > cxf-rt-wsdl 3.4.8 3.4.10 > cxf-shade 8.0.13 8.0.14 > taglibs-shade 8.0.13 8.0.14 > tomee-bootstrap 8.0.13 8.0.14 > xbean-asm9-shaded 4.21 4.22 > xbean-bundleutils 4.21 4.22 > xbean-finder-shaded 4.21 4.22 > xbean-naming 4.21 4.22 > xbean-reflect 4.21 4.22 > > ############### > > Note: > > (1) CVE-2022-1471 (snakeyaml): Snakeyaml is a transient dependency of > jackson-dataformat-yaml (which is used in OpenAPI). > According to the Jackson people, they are not affected: > https://github.com/FasterXML/jackson-dataformats-text/issues/361 > > ############### > > > Please VOTE > > [+1] go ship it > [+0] meh, don't care > [-1] stop, there is a ${showstopper} > > The VOTE is open for 72h or as long as needed. > > Gruß > Richard > >
