Jacques, I don't know for a release from r18, but regarding a release from r22, you could consider sharing your viewpoint in thread 'Time to cut the first release of the R22 branch?' instead of here.
Met vriendelijke groet, Pierre Smits *Proud* *contributor** of* Apache OFBiz <https://ofbiz.apache.org/> since 2008 (without privileges) Proud contributor to the ASF since 2006 *Apache Directory <https://directory.apache.org>, PMC Member* Anyone could have been you, whereas I've always been anyone. On Wed, Jan 26, 2022 at 2:04 PM Jacques Le Roux < [email protected]> wrote: > Hi Pierre, All, > > Yes saw that, complications comes with me using Win7. > > As I said in the Jira: I'm not sure we need to make new releases (18 and > 22). > Because I doubt users persist sessions using advanced FileStore feature. > So maybe simply a warning could be sufficient. > > Jacques > > Le 26/01/2022 à 12:42, Pierre Smits a écrit : > > Hey Jacques, > > > > It seems to me that this commit does not address the issue described in > the > > referenced ticket: https://issues.apache.org/jira/browse/OFBIZ-12539. > > > > Should this not be corrected? E.g. having its own ticket? > > > > > > Met vriendelijke groet, > > > > Pierre Smits > > *Proud* *contributor** of* Apache OFBiz <https://ofbiz.apache.org/> > since > > 2008 (without privileges) > > Proud contributor to the ASF since 2006 > > > > *Apache Directory <https://directory.apache.org>, PMC Member* > > > > Anyone could have been you, whereas I've always been anyone. > > > > > > On Wed, Jan 26, 2022 at 12:34 PM <[email protected]> wrote: > > > >> This is an automated email from the ASF dual-hosted git repository. > >> > >> jleroux pushed a commit to branch trunk > >> in repository https://gitbox.apache.org/repos/asf/ofbiz-framework.git > >> > >> > >> The following commit(s) were added to refs/heads/trunk by this push: > >> new 6ed30b7 Fixed: Upgrade Tomcat from 9.0.54 to 9.0.58 > (OFBIZ-12539) > >> 6ed30b7 is described below > >> > >> commit 6ed30b76652e24162bcbc6efe4ca912ba0e31bc2 > >> Author: Jacques Le Roux <[email protected]> > >> AuthorDate: Wed Jan 26 12:31:50 2022 +0100 > >> > >> Fixed: Upgrade Tomcat from 9.0.54 to 9.0.58 (OFBIZ-12539) > >> > >> The fix for bug CVE-2020-9484 introduced a time of check, time of > use > >> vulnerability that allowed a local attacker to perform actions > with the > >> privileges of the user that the Tomcat process is using. This > issue is > >> only > >> exploitable when Tomcat is configured to persist sessions using the > >> FileStore. > >> --- > >> themes/common-theme/webapp/common/js/package.json | 33 > >> ++++++++++++----------- > >> 1 file changed, 18 insertions(+), 15 deletions(-) > >> > >> diff --git a/themes/common-theme/webapp/common/js/package.json > >> b/themes/common-theme/webapp/common/js/package.json > >> index 036a227..429ade6 100644 > >> --- a/themes/common-theme/webapp/common/js/package.json > >> +++ b/themes/common-theme/webapp/common/js/package.json > >> @@ -1,17 +1,20 @@ > >> { > >> - "name": "ofbiz-framework", > >> - "description": "ofbiz-framework NPM dependencies configuration", > >> - "repository": "https://github.com/apache/ofbiz-framework.git";, > >> - "license": "Apache-2.0", > >> - "dependencies": { > >> - "jquery": "^3.6.0", > >> - "jquery-migrate": "^3.3.2", > >> - "jquery-validation": "^1.19.3", > >> - "jquery.browser": "^0.1.0", > >> - "dompurify": "^2.3.4", > >> - "jquery-ui-dist": "^1.13.0", > >> - "trumbowyg": "^2.25.1", > >> - "flot": "^4.2.2", > >> - "@chinchilla-software/jquery-ui-timepicker-addon": "^1.6.3" > >> - } > >> + "name": "ofbiz-framework", > >> + "description": "ofbiz-framework NPM dependencies configuration", > >> + "repository": "https://github.com/apache/ofbiz-framework.git";, > >> + "license": "Apache-2.0", > >> + "dependencies": { > >> + "jquery": "^3.6.0", > >> + "jquery-migrate": "^3.3.2", > >> + "jquery-validation": "^1.19.3", > >> + "jquery.browser": "^0.1.0", > >> + "dompurify": "^2.3.4", > >> + "jquery-ui-dist": "^1.13.0", > >> + "trumbowyg": "^2.25.1", > >> + "flot": "^4.2.2", > >> + "@chinchilla-software/jquery-ui-timepicker-addon": "^1.6.3" > >> + }, > >> + "scripts": { > >> + "lint": "jshint **.js --reporter checkstyle > checkstyle.xml" > >> + } > >> } > >> >
