I have posted a vote for 8.0.6. I'll follow up with 7.x versions. This does include Tomcat 9.0.41. Please do note that ActiveMQ just started a new release vote for 5.16.1 just before I posted this, which is *not* included. We can certainly followup with an 8.0.7 if needed or include it if a reroll is needed.
Jon On Thu, Jan 14, 2021 at 2:35 PM Jonathan Gallimore < [email protected]> wrote: > Hi Alexandre > > The Tomcat version for 8.0.6 will be 9.0.41, and I am cutting the release > now. This will include the fix for CVE-2021-24122, announced on Tomcat's > mailing list today. > > Kind Regards > > Jon > > > > On Thu, Jan 14, 2021 at 2:26 PM Alex The Rocker <[email protected]> > wrote: > >> yes, for example CVE-2021-24122, for which fix exists in Tomcat 9.0.40 >> / 8.5.60 / etc. >> I hope this will be at least Tomcat's version embedded in upcoming TomEE >> 8.0.6 >> >> Kind regards, >> Alexandre >> >> Le mer. 13 janv. 2021 à 12:53, Jonathan Gallimore >> <[email protected]> a écrit : >> > >> > Yes. Is there a specific concern you have? >> > >> > On Wed, Jan 13, 2021 at 10:40 AM Alex The Rocker <[email protected]> >> > wrote: >> > >> > > Hello Jon, >> > > >> > > Would you please make sure that this 8.0.6 TomEE release will include >> > > latest CVEs fixes (from TomEE, ActiveMQ, etc) ? >> > > >> > > Kind regards; >> > > Alexandre >> > > >> > > Le ven. 8 janv. 2021 à 14:15, Jonathan Gallimore >> > > <[email protected]> a écrit : >> > > > >> > > > Hi All, >> > > > >> > > > Any objections if I kick off a 8.0.6 release? I think there are some >> > > > dependency updates that it would be useful to get included >> (specifically >> > > > Tomcat), and also there's a regression with using a >> non-transactional >> > > > ActiveMQ connection factory in a transactional method that I have >> fixed >> > > as >> > > > well. >> > > > >> > > > Thanks >> > > > >> > > > Jon >> > > >> >
