Hello Richard, I fully agree with this proposal to postpone bval upgrade so as to at least provide to community a 10.0.1 release will CVE fixes.
Note: I was about to send my own +1 (non-binding) on TomEE 10.0.1 RC1, based on my tests on my webapps: found no regression on these web apps which rely on jax-rs, jax-rs, cdi, entity beans, servlet, jms and websocket API (obsviously I don't have Bean validation use cases showing the regression in RC1). - all these tests being done with IBM Semeru Java 21.0.6 on Linux RH 8 Thanks, Alex Le mer. 19 mars 2025 à 08:48, Richard Zowalla <r...@apache.org> a écrit : > > I am going to post a new release candidate without bval soon (=tmrw or Friday) > > Think we can postpone the bval upgrade (until the regression is resolved) to > get in the Tomcat and other CVE fixes. > > On 2025/03/19 06:52:13 Richard Zowalla wrote: > > Hi all, > > > > due to a regression in BVAL, we are going to cancel this release. > > > > Gruß > > Richard > > > > On 2025/03/13 17:19:34 Richard Zowalla wrote: > > > Hi everyone, > > > > > > We're calling for a vote on TomEE 10.0.1, which targets Jakarta EE 10 and > > > MicroProfile 6.0. > > > > > > This release includes bug fixes for user-reported issues in bval and > > > mojarra, along with other improvements—one of which resolves a problem > > > that rendered the BOMs ineffective without an exclusion. > > > We fixed some issues in the embedded area as well and included the latest > > > versions of our dependencies including some CVE fixes (like in Tomcat). > > > > > > Here are the hard facts: > > > > > > ############### > > > > > > Maven Repo: > > > https://repository.apache.org/content/repositories/orgapachetomee-1233 > > > > > > <repositories> > > > <repository> > > > <id>tomee-10.0.1</id> > > > <name>Testing TomEE 10.0.1</name> > > > <url> > > > https://repository.apache.org/content/repositories/orgapachetomee-1233 > > > </url> > > > </repository> > > > </repositories> > > > > > > ############### > > > > > > Binaries & Source: > > > > > > https://dist.apache.org/repos/dist/dev/tomee/staging-1233/tomee-10.0.1/ > > > > > > ############### > > > > > > Tag: > > > > > > https://github.com/apache/tomee/releases/tag/tomee-project-10.0.1 > > > > > > Hash: > > > > > > 29e0c4c3b7fee0e66906088bdfe3a91f36e66904 > > > > > > > > > ############### > > > > > > Release note > > > > > > https://issues.apache.org/jira/secure/ReleaseNote.jspa?projectId=12312320&version=12355520 > > > > > > Here is the plain text version: > > > > > > == Dependency upgrade > > > > > > [.compact] > > > - link:https://issues.apache.org/jira/browse/TOMEE-4446[TOMEE-4446] AMQ > > > 6.1.5 > > > - link:https://issues.apache.org/jira/browse/TOMEE-4465[TOMEE-4465] BVal > > > 3.0.2 > > > - link:https://issues.apache.org/jira/browse/TOMEE-4464[TOMEE-4464] CXF > > > 4.1.1 > > > - link:https://issues.apache.org/jira/browse/TOMEE-4451[TOMEE-4451] > > > Commons Codec 1.18.0 > > > - link:https://issues.apache.org/jira/browse/TOMEE-4453[TOMEE-4453] > > > Commons Logging 1.3.5 > > > - link:https://issues.apache.org/jira/browse/TOMEE-4441[TOMEE-4441] > > > EclipseLink 4.0.5 > > > - link:https://issues.apache.org/jira/browse/TOMEE-4461[TOMEE-4461] > > > Jackson 2.18.3 > > > - link:https://issues.apache.org/jira/browse/TOMEE-4455[TOMEE-4455] MP > > > Config Impl 3.11.2 > > > - link:https://issues.apache.org/jira/browse/TOMEE-4463[TOMEE-4463] > > > Mojarra 4.0.11 > > > - link:https://issues.apache.org/jira/browse/TOMEE-4442[TOMEE-4442] > > > Quartz Shade 2.5.0 > > > - link:https://issues.apache.org/jira/browse/TOMEE-4457[TOMEE-4457] > > > Tomcat 10.1.35 > > > - link:https://issues.apache.org/jira/browse/TOMEE-4458[TOMEE-4458] > > > Tomcat 10.1.36 > > > - link:https://issues.apache.org/jira/browse/TOMEE-4462[TOMEE-4462] > > > Tomcat 10.1.39 > > > - link:https://issues.apache.org/jira/browse/TOMEE-4440[TOMEE-4440] > > > arquillian-tomee-embedded depends on junit 4 > > > - link:https://issues.apache.org/jira/browse/TOMEE-4444[TOMEE-4444] > > > commons codec 1.17.2 > > > - link:https://issues.apache.org/jira/browse/TOMEE-4452[TOMEE-4452] > > > commons-pool2 2.12.1 > > > - link:https://issues.apache.org/jira/browse/TOMEE-4378[TOMEE-4378] > > > geronimo-mail_2.1_spec version 1.0.1 > > > - link:https://issues.apache.org/jira/browse/TOMEE-4445[TOMEE-4445] > > > BouncyCastle 1.80 > > > > > > == Bug > > > > > > [.compact] > > > - link:https://issues.apache.org/jira/browse/TOMEE-4460[TOMEE-4460] > > > Missing service-jar.xml in Serverless Builder and Embedded Scenarios > > > - link:https://issues.apache.org/jira/browse/TOMEE-4450[TOMEE-4450] EL > > > expressions in Jakarta Faces not working with Mojarra > > > - link:https://issues.apache.org/jira/browse/TOMEE-4454[TOMEE-4454] > > > Missing artifact org.apache.tomee:tomee-microprofile-webapp:jar:10.0.0 > > > - link:https://issues.apache.org/jira/browse/TOMEE-4447[TOMEE-4447] > > > TomEE incorrectly propagates transaction for CDI Async Events > > > - link:https://issues.apache.org/jira/browse/TOMEE-4459[TOMEE-4459] > > > Running AppComposer with LogLevel.FINE and OpenJPA results in an exception > > > - link:https://issues.apache.org/jira/browse/TOMEE-4449[TOMEE-4449] > > > Invalid jakarta.validation.ConstraintDeclarationException thrown > > > > > > ############### > > > > > > For signature verification, you can check on the example script here: > > > https://gist.github.com/rzo1/9fb1ca0d58e1fc982d596f2a94b10b32 > > > > > > > > > Please VOTE > > > > > > [+1] go ship it > > > [+0] meh, don't care > > > [-1] stop, there is a ${showstopper} > > > > > > The VOTE is open for 72h or as long as needed. > > > > > > Gruß > > > Richard > >