Thanks for the testing! Feel free to provide such a list or flag the issues in Jira with the CVE tag :) (than it is auto generated) - If permissions are an issue, happy to assign them.
Am 21. März 2025 08:33:54 MEZ schrieb Alex The Rocker <alex.m3...@gmail.com>: >Hello, > >[+1] (non-binding) tested TomEE+ 10.0.1 RC2 with my web apps running >with IBM Semeru 21.0.5 on RedHat Linux 8, involving uses of Servlets, >JAX-RS, JAX-XML, CDI, JMS and Websockets, and found no regression. > >On a side note, I was quite happy to see >https://nvd.nist.gov/vuln/detail/CVE-2025-2240 fixed in this RC, but I >feel that TomEE's releases notes are not "making justice" to the value >of such TomEE patch release given the many CVEs fixes since 10.0.1 (I >had to search TOMEE' s JIRA to find that this later CVE is fixed >though this dependency update: >https://issues.apache.org/jira/browse/TOMEE-4466?jql=text%20~%20%22CVE-2025-2240%22) > >=> May I suggest TomEE's release notes to recap all CVEs fixed since >last released version ? for Tomcat, they have this >https://tomcat.apache.org/security.html page giving an overview of >fixed vulnerabilities, but we don't have to copy that : if only >release notes could provide list of fixed CVEs, then I guess that >would make life easier to all who care about this. > >(my 2 cents) > >Thanks, >Alex > >Le jeu. 20 mars 2025 à 14:33, Richard Zowalla <r...@apache.org> a écrit : >> >> Hi everyone, >> >> We're calling a new vote on TomEE 10.0.1, which targets Jakarta EE 10 and >> MicroProfile 6.0. >> >> This release includes bug fixes for user-reported issues in bval and >> mojarra, along with other improvements—one of which resolves a problem that >> rendered the BOMs ineffective without an exclusion. >> We fixed some issues in the embedded area as well and included the latest >> versions of our dependencies including some CVE fixes (like in Tomcat). >> >> Here are the hard facts: >> >> ############### >> >> Maven Repo: >> https://repository.apache.org/content/repositories/orgapachetomee-1234 >> >> <repositories> >> <repository> >> <id>tomee-10.0.1</id> >> <name>Testing TomEE 10.0.1</name> >> <url> >> https://repository.apache.org/content/repositories/orgapachetomee-1234 >> </url> >> </repository> >> </repositories> >> >> ############### >> >> Binaries & Source: >> >> https://dist.apache.org/repos/dist/dev/tomee/staging-1234/tomee-10.0.1/ >> >> ############### >> >> Tag: >> >> https://github.com/apache/tomee/releases/tag/tomee-project-10.0.1 >> >> Hash: >> >> 54079bef6dcfe255342d4adba97837d1c059347a >> >> >> ############### >> >> Release note >> >> https://issues.apache.org/jira/secure/ReleaseNote.jspa?projectId=12312320&version=12355520 >> >> Here is the plain text version: >> >> == Dependency upgrade >> >> [.compact] >> - link:https://issues.apache.org/jira/browse/TOMEE-4446[TOMEE-4446] AMQ >> 6.1.5 >> - link:https://issues.apache.org/jira/browse/TOMEE-4467[TOMEE-4467] >> ActiveMQ 6.1.6 >> - link:https://issues.apache.org/jira/browse/TOMEE-4464[TOMEE-4464] CXF >> 4.1.1 >> - link:https://issues.apache.org/jira/browse/TOMEE-4451[TOMEE-4451] Commons >> Codec 1.18.0 >> - link:https://issues.apache.org/jira/browse/TOMEE-4453[TOMEE-4453] Commons >> Logging 1.3.5 >> - link:https://issues.apache.org/jira/browse/TOMEE-4441[TOMEE-4441] >> EclipseLink 4.0.5 >> - link:https://issues.apache.org/jira/browse/TOMEE-4461[TOMEE-4461] Jackson >> 2.18.3 >> - link:https://issues.apache.org/jira/browse/TOMEE-4455[TOMEE-4455] MP >> Config Impl 3.11.2 >> - link:https://issues.apache.org/jira/browse/TOMEE-4463[TOMEE-4463] Mojarra >> 4.0.11 >> - link:https://issues.apache.org/jira/browse/TOMEE-4442[TOMEE-4442] Quartz >> Shade 2.5.0 >> - link:https://issues.apache.org/jira/browse/TOMEE-4468[TOMEE-4468] >> Smallrye MP Config Impl 3.12.3 >> - link:https://issues.apache.org/jira/browse/TOMEE-4462[TOMEE-4462] Tomcat >> 10.1.39 >> - link:https://issues.apache.org/jira/browse/TOMEE-4440[TOMEE-4440] >> arquillian-tomee-embedded depends on junit 4 >> - link:https://issues.apache.org/jira/browse/TOMEE-4444[TOMEE-4444] commons >> codec 1.17.2 >> - link:https://issues.apache.org/jira/browse/TOMEE-4452[TOMEE-4452] >> commons-pool2 2.12.1 >> - link:https://issues.apache.org/jira/browse/TOMEE-4378[TOMEE-4378] >> geronimo-mail_2.1_spec version 1.0.1 >> - link:https://issues.apache.org/jira/browse/TOMEE-4466[TOMEE-4466] >> smallrye-fault-tolerance-core 6.4.3 >> - link:https://issues.apache.org/jira/browse/TOMEE-4445[TOMEE-4445] >> BouncyCastle 1.80 >> >> == Bug >> >> [.compact] >> - link:https://issues.apache.org/jira/browse/TOMEE-4460[TOMEE-4460] Missing >> service-jar.xml in Serverless Builder and Embedded Scenarios >> - link:https://issues.apache.org/jira/browse/TOMEE-4447[TOMEE-4447] TomEE >> incorrectly propagates transaction for CDI Async Events >> - link:https://issues.apache.org/jira/browse/TOMEE-4450[TOMEE-4450] EL >> expressions in Jakarta Faces not working with Mojarra >> - link:https://issues.apache.org/jira/browse/TOMEE-4454[TOMEE-4454] Missing >> artifact org.apache.tomee:tomee-microprofile-webapp:jar:10.0.0 >> - link:https://issues.apache.org/jira/browse/TOMEE-4459[TOMEE-4459] Running >> AppComposer with LogLevel.FINE and OpenJPA results in an exception >> >> ############### >> >> For signature verification, you can check on the example script here: >> https://gist.github.com/rzo1/9fb1ca0d58e1fc982d596f2a94b10b32 >> >> >> Please VOTE >> >> [+1] go ship it >> [+0] meh, don't care >> [-1] stop, there is a ${showstopper} >> >> The VOTE is open for 72h or as long as needed. >> >> Gruß >> Richard
