Hello Richard,

I fully agree with this proposal to postpone bval upgrade so as to at
least provide to community a 10.0.1 release will CVE fixes.

Note: I was about to send my own +1 (non-binding) on TomEE 10.0.1 RC1,
based on my tests on my webapps: found no regression on these web apps
which rely on jax-rs, jax-rs, cdi, entity beans, servlet, jms and
websocket API (obsviously I don't have Bean validation use cases
showing the regression in RC1). - all these tests being done with IBM
Semeru Java 21.0.6 on Linux RH 8

Thanks,
Alex

Le mer. 19 mars 2025 à 08:48, Richard Zowalla <r...@apache.org> a écrit :
>
> I am going to post a new release candidate without bval soon (=tmrw or Friday)
>
> Think we can postpone the bval upgrade (until the regression is resolved) to 
> get in the Tomcat and other CVE fixes.
>
> On 2025/03/19 06:52:13 Richard Zowalla wrote:
> > Hi all,
> >
> > due to a regression in BVAL, we are going to cancel this release.
> >
> > Gruß
> > Richard
> >
> > On 2025/03/13 17:19:34 Richard Zowalla wrote:
> > > Hi everyone,
> > >
> > > We're calling for a vote on TomEE 10.0.1, which targets Jakarta EE 10 and 
> > > MicroProfile 6.0.
> > >
> > > This release includes bug fixes for user-reported issues in bval and 
> > > mojarra, along with other improvements—one of which resolves a problem 
> > > that rendered the BOMs ineffective without an exclusion.
> > > We fixed some issues in the embedded area as well and included the latest 
> > > versions of our dependencies including some CVE fixes (like in Tomcat).
> > >
> > > Here are the hard facts:
> > >
> > > ###############
> > >
> > > Maven Repo:
> > > https://repository.apache.org/content/repositories/orgapachetomee-1233
> > >
> > > <repositories>
> > > <repository>
> > > <id>tomee-10.0.1</id>
> > > <name>Testing TomEE 10.0.1</name>
> > > <url>
> > > https://repository.apache.org/content/repositories/orgapachetomee-1233
> > > </url>
> > > </repository>
> > > </repositories>
> > >
> > > ###############
> > >
> > > Binaries & Source:
> > >
> > > https://dist.apache.org/repos/dist/dev/tomee/staging-1233/tomee-10.0.1/
> > >
> > > ###############
> > >
> > > Tag:
> > >
> > > https://github.com/apache/tomee/releases/tag/tomee-project-10.0.1
> > >
> > > Hash:
> > >
> > > 29e0c4c3b7fee0e66906088bdfe3a91f36e66904
> > >
> > >
> > > ###############
> > >
> > > Release note
> > >
> > > https://issues.apache.org/jira/secure/ReleaseNote.jspa?projectId=12312320&version=12355520
> > >
> > > Here is the plain text version:
> > >
> > > == Dependency upgrade
> > >
> > > [.compact]
> > >  - link:https://issues.apache.org/jira/browse/TOMEE-4446[TOMEE-4446] AMQ 
> > > 6.1.5
> > >  - link:https://issues.apache.org/jira/browse/TOMEE-4465[TOMEE-4465] BVal 
> > > 3.0.2
> > >  - link:https://issues.apache.org/jira/browse/TOMEE-4464[TOMEE-4464] CXF 
> > > 4.1.1
> > >  - link:https://issues.apache.org/jira/browse/TOMEE-4451[TOMEE-4451] 
> > > Commons Codec 1.18.0
> > >  - link:https://issues.apache.org/jira/browse/TOMEE-4453[TOMEE-4453] 
> > > Commons Logging 1.3.5
> > >  - link:https://issues.apache.org/jira/browse/TOMEE-4441[TOMEE-4441] 
> > > EclipseLink 4.0.5
> > >  - link:https://issues.apache.org/jira/browse/TOMEE-4461[TOMEE-4461] 
> > > Jackson 2.18.3
> > >  - link:https://issues.apache.org/jira/browse/TOMEE-4455[TOMEE-4455] MP 
> > > Config Impl 3.11.2
> > >  - link:https://issues.apache.org/jira/browse/TOMEE-4463[TOMEE-4463] 
> > > Mojarra 4.0.11
> > >  - link:https://issues.apache.org/jira/browse/TOMEE-4442[TOMEE-4442] 
> > > Quartz Shade 2.5.0
> > >  - link:https://issues.apache.org/jira/browse/TOMEE-4457[TOMEE-4457] 
> > > Tomcat 10.1.35
> > >  - link:https://issues.apache.org/jira/browse/TOMEE-4458[TOMEE-4458] 
> > > Tomcat 10.1.36
> > >  - link:https://issues.apache.org/jira/browse/TOMEE-4462[TOMEE-4462] 
> > > Tomcat 10.1.39
> > >  - link:https://issues.apache.org/jira/browse/TOMEE-4440[TOMEE-4440] 
> > > arquillian-tomee-embedded depends on junit 4
> > >  - link:https://issues.apache.org/jira/browse/TOMEE-4444[TOMEE-4444] 
> > > commons codec 1.17.2
> > >  - link:https://issues.apache.org/jira/browse/TOMEE-4452[TOMEE-4452] 
> > > commons-pool2 2.12.1
> > >  - link:https://issues.apache.org/jira/browse/TOMEE-4378[TOMEE-4378] 
> > > geronimo-mail_2.1_spec version 1.0.1
> > >  - link:https://issues.apache.org/jira/browse/TOMEE-4445[TOMEE-4445] 
> > > BouncyCastle 1.80
> > >
> > > == Bug
> > >
> > > [.compact]
> > >  - link:https://issues.apache.org/jira/browse/TOMEE-4460[TOMEE-4460] 
> > > Missing service-jar.xml in Serverless Builder and Embedded Scenarios
> > >  - link:https://issues.apache.org/jira/browse/TOMEE-4450[TOMEE-4450] EL 
> > > expressions in Jakarta Faces not working with Mojarra
> > >  - link:https://issues.apache.org/jira/browse/TOMEE-4454[TOMEE-4454] 
> > > Missing artifact org.apache.tomee:tomee-microprofile-webapp:jar:10.0.0
> > >  - link:https://issues.apache.org/jira/browse/TOMEE-4447[TOMEE-4447] 
> > > TomEE incorrectly propagates transaction for CDI Async Events
> > >  - link:https://issues.apache.org/jira/browse/TOMEE-4459[TOMEE-4459] 
> > > Running AppComposer with LogLevel.FINE and OpenJPA results in an exception
> > >  - link:https://issues.apache.org/jira/browse/TOMEE-4449[TOMEE-4449] 
> > > Invalid jakarta.validation.ConstraintDeclarationException thrown
> > >
> > > ###############
> > >
> > > For signature verification, you can check on the example script here:
> > > https://gist.github.com/rzo1/9fb1ca0d58e1fc982d596f2a94b10b32
> > >
> > >
> > > Please VOTE
> > >
> > > [+1] go ship it
> > > [+0] meh, don't care
> > > [-1] stop, there is a ${showstopper}
> > >
> > > The VOTE is open for 72h or as long as needed.
> > >
> > > Gruß
> > > Richard
> >

Reply via email to