Re: [VOTE] TomEE 8.0.14

Tue, 17 Jan 2023 14:36:23 -0800 

+1 (binding)
--
Jean-Louis Monteiro
http://twitter.com/jlouismonteiro
http://www.tomitribe.com


On Tue, Jan 17, 2023 at 4:31 PM Thomas Andraschko <
[email protected]> wrote:

> +1 (non-binding)
> our applications are working fine
>
> Am Di., 17. Jan. 2023 um 14:49 Uhr schrieb Daniel Dias Dos Santos <
> [email protected]>:
>
> > Hello,
> >
> > +1
> >
> > Thanks
> >
> > On Tue, Jan 17, 2023, 10:40 Richard Zowalla <[email protected]> wrote:
> >
> > > Hi all,
> > >
> > > this is a vote for a release of Apache TomEE 8.0.14.
> > >
> > > It is a maintenance release with some bug fixes and dependencies
> > > upgrades.
> > >
> > > ###############
> > >
> > > Maven Repo:
> > >
> https://repository.apache.org/content/repositories/orgapachetomee-1213/
> > >
> > > <repositories>
> > > <repository>
> > > <id>tomee-8.0.14-release-test</id>
> > > <name>Testing TomEE 8.0.14 release candidate</name>
> > > <url>
> > >
> https://repository.apache.org/content/repositories/orgapachetomee-1213/
> > > </url>
> > > </repository>
> > > </repositories>
> > >
> > > ###############
> > >
> > > Binaries & Source:
> > >
> > >
> https://dist.apache.org/repos/dist/dev/tomee/staging-1213/tomee-8.0.14/
> > >
> > > ###############
> > >
> > > Tag:
> > >
> > > https://github.com/apache/tomee/releases/tag/tomee-project-8.0.14
> > >
> > >
> > > ###############
> > >
> > > Release notes:
> > >
> > > https://issues.apache.org/jira/projects/TOMEE/versions/12352390
> > >
> > > ###############
> > >
> > > Here is an adoc generated version of the changelog as well:
> > >
> > > == Dependency upgrade
> > >
> > > [.compact]
> > >  - link:https://issues.apache.org/jira/browse/TOMEE-4100[TOMEE-4100]
> > > XBean 4.22
> > >  - link:https://issues.apache.org/jira/browse/TOMEE-4126[TOMEE-4126]
> > > CXF 3.4.10
> > >  - link:https://issues.apache.org/jira/browse/TOMEE-4118[TOMEE-4118]
> > > CXF 3.4.9
> > >  - link:https://issues.apache.org/jira/browse/TOMEE-4125[TOMEE-4125]
> > > CXF versions mitigate CVE-2022-46364 and CVE-2022-46363
> > >  - link:https://issues.apache.org/jira/browse/TOMEE-4086[TOMEE-4086]
> > > HSQLDB 2.7.1
> > >  - link:https://issues.apache.org/jira/browse/TOMEE-4170[TOMEE-4170]
> > > Hibernate 5.6.14
> > >  - link:https://issues.apache.org/jira/browse/TOMEE-4107[TOMEE-4107]
> > > Jackson 2.14.0
> > >  - link:https://issues.apache.org/jira/browse/TOMEE-4129[TOMEE-4129]
> > > Jackson 2.14.1
> > >  - link:https://issues.apache.org/jira/browse/TOMEE-4169[TOMEE-4169]
> > > SnakeYAML - CVE-2022-1471
> > >  - link:https://issues.apache.org/jira/browse/TOMEE-4116[TOMEE-4116]
> > > Tomcat 9.0.69
> > >  - link:https://issues.apache.org/jira/browse/TOMEE-4121[TOMEE-4121]
> > > Tomcat 9.0.70
> > >  - link:https://issues.apache.org/jira/browse/TOMEE-4173[TOMEE-4173]
> > > Tomcat 9.0.71
> > >  - link:https://issues.apache.org/jira/browse/TOMEE-4109[TOMEE-4109]
> > > Velocity 2.3
> > >  - link:https://issues.apache.org/jira/browse/TOMEE-4110[TOMEE-4110]
> > > Woodstox 6.4.0 (CVE-2022-40152)
> > >  - link:https://issues.apache.org/jira/browse/TOMEE-4111[TOMEE-4111]
> > > bcel component
> > >  - link:https://issues.apache.org/jira/browse/TOMEE-4130[TOMEE-4130]
> > > commons-compress
> > > <
> >
> https://issues.apache.org/jira/browse/TOMEE-4130%5BTOMEE-4130%5Dcommons-compress
> > >
> > > 1.22
> > >  - link:https://issues.apache.org/jira/browse/TOMEE-4094[TOMEE-4094]
> > > jackson 2.14.0-rc2
> > >  - link:https://issues.apache.org/jira/browse/TOMEE-4103[TOMEE-4103]
> > > woodstox-core
> > > <
> >
> https://issues.apache.org/jira/browse/TOMEE-4103%5BTOMEE-4103%5Dwoodstox-core
> > >
> > > mitigate CVE-2022-40153
> > >
> > > == Bug
> > >
> > > [.compact]
> > >  - link:https://issues.apache.org/jira/browse/TOMEE-4120[TOMEE-4120]
> > > Remote EJB2 BMP Memory Leak
> > >  - link:https://issues.apache.org/jira/browse/TOMEE-4122[TOMEE-4122]
> > > Performance Regression in bean resolution in EAR files
> > >  - link:https://issues.apache.org/jira/browse/TOMEE-4101[TOMEE-4101]
> > > Typo with EL22Adaptor implementation in openwebbeans.properties
> > >  - link:https://issues.apache.org/jira/browse/TOMEE-4102[TOMEE-4102]
> > > TomEE logs SEVERE: Expected ContextBinding to have the method
> > > getThreadName()
> > >  - link:https://issues.apache.org/jira/browse/TOMEE-4106[TOMEE-4106]
> > > TomEE version no longer appearing at default manager page
> > >  - link:https://issues.apache.org/jira/browse/TOMEE-4014[TOMEE-4014]
> > > Unable to see TomEE version in Tomcat home page with Java 17
> > >  - link:https://issues.apache.org/jira/browse/TOMEE-4108[TOMEE-4108]
> > > Backport TOMEE-4065: LoginToContinue interceptor fails on custom auth
> > > mechanism
> > >  - link:https://issues.apache.org/jira/browse/TOMEE-3779[TOMEE-3779]
> > > tomee-embedded-maven-plugin
> > > <
> >
> https://issues.apache.org/jira/browse/TOMEE-3779%5BTOMEE-3779%5Dtomee-embedded-maven-plugin
> > >
> > > fails with NPE
> > >  - link:https://issues.apache.org/jira/browse/TOMEE-4176[TOMEE-4176]
> > > CVE-2022-45143
> > > <
> >
> https://issues.apache.org/jira/browse/TOMEE-4176%5BTOMEE-4176%5DCVE-2022-45143
> > >
> > > Apache Tomcat - JsonErrorReportValve injection on TomEE's
> > > tomcat-websocket.jar
> > >
> > > == Improvement
> > >
> > > [.compact]
> > >  - link:https://issues.apache.org/jira/browse/TOMEE-4124[TOMEE-4124]
> > > Remove timing of timing just for logging
> > >
> > > == Task
> > >
> > > [.compact]
> > >  - link:https://issues.apache.org/jira/browse/TOMEE-4171[TOMEE-4171]
> > > Apache Parent 29
> > >  - link:https://issues.apache.org/jira/browse/TOMEE-4172[TOMEE-4172]
> > > JUnit 5.9.2
> > >  - link:https://issues.apache.org/jira/browse/TOMEE-4177[TOMEE-4177]
> > > Patch Plugin 0.10
> > >
> > > == Documentation
> > >
> > > [.compact]
> > >  - link:https://issues.apache.org/jira/browse/TOMEE-4104[TOMEE-4104]
> > > Documentation Website: XA DataSource Configuration: Bug in MySQL Sample
> > > Code
> > >
> > > == Fixed Common Vulnerabilities and Exposures (CVEs)
> > >
> > > [.compact]
> > >  - link:https://issues.apache.org/jira/browse/TOMEE-4086[TOMEE-4086]
> > > HSQLDB 2.7.1
> > >  - link:https://issues.apache.org/jira/browse/TOMEE-4125[TOMEE-4125]
> > > Update Apache CXF versions to mitigate CVE-2022-46364 and
> CVE-2022-46363
> > >  - link:https://issues.apache.org/jira/browse/TOMEE-4103[TOMEE-4103]
> > > Update woodstox-core to mitigate CVE-2022-40153
> > >  - link:https://issues.apache.org/jira/browse/TOMEE-4111[TOMEE-4111]
> > > Upgrade bcel component in TomEE
> > >  - link:https://issues.apache.org/jira/browse/TOMEE-4176[TOMEE-4176]
> > > CVE-2022-45143
> > > <
> >
> https://issues.apache.org/jira/browse/TOMEE-4176%5BTOMEE-4176%5DCVE-2022-45143
> > >
> > > Apache Tomcat - JsonErrorReportValve injection on TomEE's
> > > tomcat-websocket.jar
> > >
> > >
> > >
> > >
> > > ###############
> > >
> > > Here is the dependency diff from 8.0.13 to 8.0.14 created with our
> > > release tools:
> > >
> > >           artifactId                from        to
> > > ------------------------------- ------------ --------
> > >  jackson-annotations             2.14.0-rc1   2.14.1
> > >  jackson-core                    2.14.0-rc1   2.14.1
> > >  jackson-databind                2.14.0-rc1   2.14.1
> > >  jackson-dataformat-yaml         2.14.0-rc1   2.14.1
> > >  woodstox-core                   6.2.4         6.4.0
> > >  cxf-rt-bindings-soap            3.4.8        3.4.10
> > >  cxf-rt-bindings-xml             3.4.8        3.4.10
> > >  cxf-rt-frontend-jaxws           3.4.8        3.4.10
> > >  cxf-rt-frontend-simple          3.4.8        3.4.10
> > >  cxf-rt-management               3.4.8        3.4.10
> > >  cxf-rt-rs-extension-providers   3.4.8        3.4.10
> > >  cxf-rt-rs-extension-search      3.4.8        3.4.10
> > >  cxf-rt-rs-json-basic            3.4.8        3.4.10
> > >  cxf-rt-rs-mp-client             3.4.8        3.4.10
> > >  cxf-rt-rs-security-cors         3.4.8        3.4.10
> > >  cxf-rt-rs-security-jose         3.4.8        3.4.10
> > >  cxf-rt-rs-security-jose-jaxrs   3.4.8        3.4.10
> > >  cxf-rt-rs-security-oauth2       3.4.8        3.4.10
> > >  cxf-rt-rs-service-description   3.4.8        3.4.10
> > >  cxf-rt-rs-sse                   3.4.8        3.4.10
> > >  cxf-rt-security                 3.4.8        3.4.10
> > >  cxf-rt-security-saml            3.4.8        3.4.10
> > >  cxf-rt-ws-addr                  3.4.8        3.4.10
> > >  cxf-rt-ws-policy                3.4.8        3.4.10
> > >  cxf-rt-ws-security              3.4.8        3.4.10
> > >  cxf-rt-wsdl                     3.4.8        3.4.10
> > >  cxf-shade                       8.0.13       8.0.14
> > >  taglibs-shade                   8.0.13       8.0.14
> > >  tomee-bootstrap                 8.0.13       8.0.14
> > >  xbean-asm9-shaded               4.21           4.22
> > >  xbean-bundleutils               4.21           4.22
> > >  xbean-finder-shaded             4.21           4.22
> > >  xbean-naming                    4.21           4.22
> > >  xbean-reflect                   4.21           4.22
> > >
> > > ###############
> > >
> > > Note:
> > >
> > > (1) CVE-2022-1471 (snakeyaml): Snakeyaml is a transient dependency of
> > >  jackson-dataformat-yaml (which is used in OpenAPI).
> > >  According to the Jackson people, they are not affected:
> > > https://github.com/FasterXML/jackson-dataformats-text/issues/361
> > >
> > > ###############
> > >
> > >
> > > Please VOTE
> > >
> > > [+1] go ship it
> > > [+0] meh, don't care
> > > [-1] stop, there is a ${showstopper}
> > >
> > > The VOTE is open for 72h or as long as needed.
> > >
> > > Gruß
> > > Richard
> > >
> > >
> >
>

Reply via email to