Yes. I just updated from 9.0.70 to 9.0.71.
I am currently plan to start a vote on tuesday next week (if nothing
else occupies me on that day)
Gruß
Richard
Am Freitag, dem 13.01.2023 um 15:03 +0100 schrieb Alex The Rocker:
> Hello Richard,
>
> Can upcoming TomEE 8.0.14 integrate Tomcat 9.0.71,
Hello Richard,
Can upcoming TomEE 8.0.14 integrate Tomcat 9.0.71, or at least Tomcat
9.0.69 so as to fix CVE-2022-45143 ?
This later CVE is rated High
(https://nvd.nist.gov/vuln/detail/CVE-2022-45143) so given the high
attention on CVEs, it would be too bad to miss this one.
Thanks,
Alex
Le
Thanks Richard for this clarification (hope it's available in TomE
Security page to avoid people asking the same question)
=> When can TomEE 8.0.14 vote start ?
Alex
Le mer. 11 janv. 2023 à 15:11, Richard Zowalla a écrit :
>
> Hi Alex,
>
> thanks for the reply.
>
> There is an issue regarding
Hi Alex,
thanks for the reply.
There is an issue regarding CVE-2022-1471 (snakeyaml) [1]. Snakeyaml is
a transient dependency of jackson-dataformat-yaml (which is used in
OpenAPI). According to the Jackson people [2], they are not affected
[2].
Therefore, I don't think, that we are impacted.
Am Mittwoch, dem 11.01.2023 um 14:32 +0100 schrieb Alex The Rocker:
> Hello Richard,
>
> I give a big +1 for having a 8.0.14 release ASAP.
>
> I have nothing to ask in into beyond the (many) CVE fixes done so
> far,
> except maybe if it could be checked if TomEE+ usage of snakeyaml
> (which is
Hello Richard,
I give a big +1 for having a 8.0.14 release ASAP.
I have nothing to ask in into beyond the (many) CVE fixes done so far,
except maybe if it could be checked if TomEE+ usage of snakeyaml
(which is part of TomEE+ libraries) systematically relies on
SnakeYaml's SafeConstructor, so as
Thanks.
Nothing on my radar
Le mer. 11 janv. 2023, 08:13, Richard Zowalla a écrit :
> Hi all,
>
> I would like to bring up 8.0.14 for a VOTE next week.
>
> Is there anything (dep updates, etc.) we need to include before
> proceding with the preparations?
>
> Current changes:
>
Hi all,
I would like to bring up 8.0.14 for a VOTE next week.
Is there anything (dep updates, etc.) we need to include before
proceding with the preparations?
Current changes:
https://issues.apache.org/jira/projects/TOMEE/versions/12352390
CXF 3.4.10 will be the last release of the 3.4.x
Am Donnerstag, dem 22.12.2022 um 15:18 +0100 schrieb Thomas Andraschko:
> is there a reason we dont have the github dependabot on master and
> 8.0x?
It continously generates noise (especially for /examples) or promotes
incompatible changes (jakarta vs javax) all the time :-)
Therefore, it is
also created 2 issues for further dependency upgrades:
https://issues.apache.org/jira/browse/TOMEE-4130
https://issues.apache.org/jira/browse/TOMEE-4129
is there a reason we dont have the github dependabot on master and 8.0x?
Am Do., 22. Dez. 2022 um 15:07 Uhr schrieb Thomas Andraschko <
+1 for this as it will fix the new CXF CVE
Am Mi., 21. Dez. 2022 um 11:03 Uhr schrieb Richard Zowalla :
> To follow up on that:
>
> I had a quick conversation with Jon about that topic.
> We need to fix TOMEE-4014 (regarding the keep.version property, see
> [1]) before we can bring up a release
To follow up on that:
I had a quick conversation with Jon about that topic.
We need to fix TOMEE-4014 (regarding the keep.version property, see
[1]) before we can bring up a release vote.
However, effort / focus is currently on getting 9.0 Final out of the
door and fixing / work on the
My vote:
+1
--
Best
Martin
> Am 06.12.2022 um 16:25 schrieb Jean-Louis Monteiro :
>
> I'm not -1
>
> But I'd definitely favor working on getting 9.0.0 final so we can switch to
> Jakarta EE 10 and MicroProfile 6.0
>
> My vote: 0
>
> Le mar. 6 déc. 2022, 16:11, Swell a écrit :
>
>> +1, we
I'm not -1
But I'd definitely favor working on getting 9.0.0 final so we can switch to
Jakarta EE 10 and MicroProfile 6.0
My vote: 0
Le mar. 6 déc. 2022, 16:11, Swell a écrit :
> +1, we did not yet ship the fixes for the CVE, good to have them shipped
>
>
> On Tue, 6 Dec 2022 at 15:47,
+1, we did not yet ship the fixes for the CVE, good to have them shipped
On Tue, 6 Dec 2022 at 15:47, Richard Zowalla wrote:
> Hi all,
>
> We have some dependency updates (tomcat, cxf, hsqldb) and some CVE
> related fixes (woodstox, shaded bcel, ...).
>
> I was thinking about having 8.0.14
Hi all,
We have some dependency updates (tomcat, cxf, hsqldb) and some CVE
related fixes (woodstox, shaded bcel, ...).
I was thinking about having 8.0.14 before we all get too stressed with
christmas, etc. and no one has time to review / test a 8.0.14 RC.
So my questions are:
- What is the
16 matches
Mail list logo
