[VOTE] TomEE 8.0.15

Mon, 08 May 2023 05:50:58 -0700 

Hi all,

this is a vote for a release of Apache TomEE 8.0.15.

It is a maintenance release with some bug fixes and dependencies
upgrades (addressing some CVEs)

###############

Maven Repo:
https://repository.apache.org/content/repositories/orgapachetomee-1214/

<repositories>
<repository>
<id>tomee-8.0.15-rc1</id>
<name>Testing TomEE 8.0.15 RC1</name>
<url>
https://repository.apache.org/content/repositories/orgapachetomee-1214/
</url>
</repository>
</repositories>

###############

Binaries & Source:

https://dist.apache.org/repos/dist/dev/tomee/staging-1214/tomee-8.0.15/

###############

Tag:

https://github.com/apache/tomee/releases/tag/tomee-project-8.0.15


###############

Release notes:

https://issues.apache.org/jira/secure/ReleaseNote.jspa?projectId=12312320&version=12352766

###############

Here is an adoc generated version of the changelog as well:

== Dependency upgrade

[.compact]
 - link:https://issues.apache.org/jira/browse/TOMEE-4188[TOMEE-4188]
ActiveMQ 5.16.6
 - link:https://issues.apache.org/jira/browse/TOMEE-4180[TOMEE-4180]
CXF 3.5.5
 - link:https://issues.apache.org/jira/browse/TOMEE-4187[TOMEE-4187]
Commons FileUpload 1.5
 - link:https://issues.apache.org/jira/browse/TOMEE-4210[TOMEE-4210]
EclipseLink 2.7.12
 - link:https://issues.apache.org/jira/browse/TOMEE-4211[TOMEE-4211]
Hibernate Integration 5.6.15.Final
 - link:https://issues.apache.org/jira/browse/TOMEE-4206[TOMEE-4206]
Jackson 2.15.0
 - link:https://issues.apache.org/jira/browse/TOMEE-4207[TOMEE-4207]
Johnzon 1.2.20
 - link:https://issues.apache.org/jira/browse/TOMEE-4205[TOMEE-4205]
Jose4j 0.9.3
 - link:https://issues.apache.org/jira/browse/TOMEE-4209[TOMEE-4209]
Mojarra 2.3.19
 - link:https://issues.apache.org/jira/browse/TOMEE-4195[TOMEE-4195]
Tomcat 9.0.72 (CVE-2023-28708)
 - link:https://issues.apache.org/jira/browse/TOMEE-4191[TOMEE-4191]
Tomcat 9.0.73
 - link:https://issues.apache.org/jira/browse/TOMEE-4201[TOMEE-4201]
Tomcat 9.0.74
 - link:https://issues.apache.org/jira/browse/TOMEE-4194[TOMEE-4194]
snakeyaml version 2.0 mitigate CVE-2022-1471

== Bug

[.compact]
 - link:https://issues.apache.org/jira/browse/TOMEE-4192[TOMEE-4192]
ApplicationComposers do not clear GC references on release
 - link:https://issues.apache.org/jira/browse/TOMEE-4181[TOMEE-4181]
BCProv jar loses its signature during the patch process
 - link:https://issues.apache.org/jira/browse/TOMEE-4122[TOMEE-4122]
Performance Regression in bean resolution in EAR files
 - link:https://issues.apache.org/jira/browse/TOMEE-4189[TOMEE-4189]
java.lang.ClassNotFoundException:
org.apache.openejb.loader.SystemInstance
 - link:https://issues.apache.org/jira/browse/TOMEE-4179[TOMEE-4179]
Fix creeping in API JARs which should be in javaee-api

== Wish

[.compact]
 - link:https://issues.apache.org/jira/browse/TOMEE-4190[TOMEE-4190]
RunWithApplicationComposer should support inheritance

== Fixed Common Vulnerabilities and Exposures (CVEs)

[.compact]
 - link:https://issues.apache.org/jira/browse/TOMEE-4194[TOMEE-4194]
Update snakeyaml version to 2.0 to mitigate CVE-2022-1471
 - link:https://issues.apache.org/jira/browse/TOMEE-4195[TOMEE-4195]
Upgrade to Apache Tomcat 9.0.72 (CVE-2023-28708)
 - link:https://issues.apache.org/jira/browse/TOMEE-4187[TOMEE-4187]
Commons FileUpload 1.5


###############

Here is the dependency diff from 8.0.14 to 8.0.15 created with our
release tools:

          artifactId              from          to        
------------------------------- -------- -----------------
 jackson-annotations             2.14.1   2.15.0          
 jackson-core                    2.14.1   2.15.0          
 jackson-databind                2.14.1   2.15.0          
 jackson-dataformat-yaml         2.14.1   2.15.0          
 saaj-impl                        1.5.1   1.5.3           
 activemq-broker                 5.16.5   5.16.6          
 activemq-client                 5.16.5   5.16.6          
 activemq-jdbc-store             5.16.5   5.16.6          
 activemq-kahadb-store           5.16.5   5.16.6          
 activemq-openwire-legacy        5.16.5   5.16.6          
 activemq-ra                     5.16.5   5.16.6          
 cxf-rt-rs-mp-client             3.4.10   3.5.5           
 johnzon-core                    1.2.19   1.2.20          
 johnzon-jaxrs                   1.2.19   1.2.20          
 johnzon-jsonb                   1.2.19   1.2.20          
 johnzon-jsonp-strict            1.2.19   1.2.20          
 johnzon-mapper                  1.2.19   1.2.20          
 xmlsec                           2.2.3   2.3.2           
 wss4j-bindings                   2.3.3   2.4.1           
 wss4j-policy                     2.3.3   2.4.1           
 wss4j-ws-security-common         2.3.3   2.4.1           
 wss4j-ws-security-dom            2.3.3   2.4.1           
 wss4j-ws-security-policy-stax    2.3.3   2.4.1           
 wss4j-ws-security-stax           2.3.3   2.4.1           
 jose4j                           0.6.0   0.9.3           
 eclipselink                     2.7.11   2.7.12          
 jakarta.faces                   2.3.18   2.3.19          
 stax-ex                          1.8.1   1.8.3           
 snakeyaml                         1.33   2.0 

###############

Please VOTE

[+1] go ship it
[+0] meh, don't care
[-1] stop, there is a ${showstopper}

The VOTE is open for 72h or as long as needed.

Gruß
Richard

Reply via email to