Hi, thanks for the concerns raised. Better to check the CVE report and do a re-roll ;-)
@JL: Will take a look. @Alex Thanks. We might not be able to address all CVEs as some of the libs used for EE7 aren't patched / updated anymore. I will have a look. Gruß Richard ________________________________ Von: Jean-Louis Monteiro <jlmonte...@tomitribe.com> Gesendet: Dienstag, 2. August 2022 15:30:31 An: dev@tomee.apache.org Betreff: Re: [VOTE] Apache TomEE 7.1.5 -1 (binding) Something went bad during the release. Looks like our libs are still 1.7.5-SNAPSHOT. -- Jean-Louis Monteiro http://twitter.com/jlouismonteiro http://www.tomitribe.com On Tue, Aug 2, 2022 at 2:37 PM Alex The Rocker <alex.m3...@gmail.com> wrote: > Hello, > > [-1] (non binding) > > Indeed, I downloaded TomEE+ 7.1.5 binary (from > > https://dist.apache.org/repos/dist/dev/tomee/staging-1206/tomee-7.1.5/apache-tomee-7.1.5-plus.tar.gz > ) > and then I ran Grype (https://github.com/anchore/grype) on TomEE+'s > archive extract directory. > > That gives 2 Critical and 125 High CVEs (see attached Grype output for > this scan). > > I agree with whoever will say that Grype isn't quite smart, but > nevertheless the world is now paranoid with security matter. > > I don't think releasing a "last 7.1.x" version with CVEs would be of > any good, so Grype's output is all false positive, then at least we > need a statement to avoid confusion in this page: > https://tomee.apache.org/security/tomee.html > > Please also note in attached Grype output the Warning lines related to > archive-xbean-asm6-shaded-4.8.jar: isn't that showing a somehow > malformed MANIFEST ? > > Thanks, > Alex > > Le lun. 1 août 2022 à 19:35, Richard Zowalla <r...@apache.org> a écrit : > > > > Hi all, > > > > this is a first attempt at a vote for a release of Apache TomEE 7.1.5 > > > > It is a maintenance release with some bug fixes and dependencies > > upgrades for which were was some interest on the list. > > > > Yet, a discussion, if this will be the last release of the 7.1.x > > series, is pending. > > > > Here are some infos: > > > > Maven Repo: > > https://repository.apache.org/content/repositories/orgapachetomee-1206 > > > > <repositories> > > <repository> > > <id>tomee-7.1.5-release-test</id> > > <name>Testing TomEE 7.1.5 release candidate</name> > > <url> > > https://repository.apache.org/content/repositories/orgapachetomee-1206 > > </url> > > </repository> > > </repositories> > > > > > > Binaries & Source: > > https://dist.apache.org/repos/dist/dev/tomee/staging-1206/ > > > > Tag: > > https://github.com/apache/tomee/tree/tomee-project-7.1.5 > > > > Latest (green) CI/CD build: > > > > https://ci-builds.apache.org/job/Tomee/job/tomee-7.1.x/19/ > > > > Release notes: > > > https://issues.apache.org/jira/secure/ReleaseNote.jspa?projectId=12312320&version=12349482 > > > > > > Here is an adoc generated version of the changelog as well: > > > > > > == Dependency upgrade > > > > [.compact] > > - link:https://issues.apache.org/jira/browse/TOMEE-2959[TOMEE-959]2 j > > ackson 2.12.0 > > - link:https://issues.apache.org/jira/browse/TOMEE-3941[TOMEE-3941] > > ActiveMQ 5.16.5 > > - link:https://issues.apache.org/jira/browse/TOMEE-3985[TOMEE-3985] > > BatchEE 1.0.2 > > - link:https://issues.apache.org/jira/browse/TOMEE-3772[TOMEE-3772] > > JUnit 4.13.2 > > - link:https://issues.apache.org/jira/browse/TOMEE-2979[TOMEE-2979] > > MyFaces 2.2.14 > > - link:https://issues.apache.org/jira/browse/TOMEE-4016[TOMEE-4016] > > Myfaces 2.2.15 > > - link:https://issues.apache.org/jira/browse/TOMEE-2958[TOMEE-2958] > > Tomcat 8.5.61 > > - link:https://issues.apache.org/jira/browse/TOMEE-4017[TOMEE-4017] > > Tomcat 8.5.81 > > - link:https://issues.apache.org/jira/browse/TOMEE-2939[TOMEE-2939] > > bcprov-jdk15on 1.67 > > - link:https://issues.apache.org/jira/browse/TOMEE-4018[TOMEE-4018] > > bcprov-jdk15on 1.70 > > - link:https://issues.apache.org/jira/browse/TOMEE-3719[TOMEE-3719] > > commons-io 2.8 > > > > == Bug > > > > [.compact] > > - link:https://issues.apache.org/jira/browse/TOMEE-2919[TOMEE-2919] > > java.util.ConcurrentModificationException error deploying ear in TomEE > Plus 7.1.4 > > - link:https://issues.apache.org/jira/browse/TOMEE-2968[TOMEE-2968] > > Postgres connection error when a password contains "}" > > - link:https://issues.apache.org/jira/browse/TOMEE-2125[TOMEE-2125] > > Datasource config: MaxWait, timeBetweenEvictionRunsMillis and > MinEvictableIdleTimeMillis are ignored > > - link:https://issues.apache.org/jira/browse/TOMEE-3718[TOMEE-3718] > > Missing mime mappings > > > > == Improvement > > > > [.compact] > > - link:https://issues.apache.org/jira/browse/TOMEE-2957[TOMEE-2957] > > Fix OWASP Checks on ASF Jenkins Environment > > - link:https://issues.apache.org/jira/browse/TOMEE-2973[TOMEE-2973] > > TomEE :: Examples :: JSF2/CDI/BV/JPA/DeltaSpike uses too old version of > commons-lang3 > > > > > > Please VOTE > > > > [+1] go ship it > > [+0] meh, don't care > > [-1] stop, there is a ${showstopper} > > > > The VOTE is open for 72h or as long as needed. > > > > Gruß > > Richard > > >
