I'm fully focused on TomEE 9 at the moment. I'll have a look to the BVal failure though in case it comes to my mind. -- Jean-Louis Monteiro http://twitter.com/jlouismonteiro http://www.tomitribe.com
On Thu, Oct 6, 2022 at 2:31 PM Zowalla, Richard < richard.zowa...@hs-heilbronn.de> wrote: > Hi, > > a short update here. Looks like we are +1 for doing a release rather > soon than later. > > Swell and myself did some dependency updates in the last days. > > I think, that we are in a good shape soon but need to address the > following things: > > (A) BVAL 2.0.6 > > Currently, we have one bval tck test failing in TomEE, which is similar > to [1]. I asked JL on Slack for help as he seems to be the person who > solved it in [1]. Otherwise, we might revert the upgrade. > > (B) TOMEE-4066 > > Jackson seems to be affected by CVE-2022-42004 and CVE-2022-42003. The > latter requires 2.14.0-rc1 as a fixed version. 2.14.0 final is planned > for mid october [2], so we either ship with rc1 or wait until mid > october. > > Gruß > Richard > > > > [1] https://www.mail-archive.com/dev@tomee.apache.org/msg14542.html > [2] > https://groups.google.com/g/jackson-dev/c/RuiMDNM3vpQ/m/FgLnTxBPAwAJ > > > Am Donnerstag, dem 29.09.2022 um 10:22 +0100 schrieb Jonathan > Gallimore: > > +1. And yes, this willinclude the fix to mitigate CVE-2021-43980. > > > > Jon > > > > On Wed, Sep 28, 2022 at 6:45 PM Alex The Rocker <alex.m3...@gmail.com > > > > > wrote: > > > > > Hi there, > > > > > > +1 for a TomEE 8.013 ASAP provided it includes fix for: > > > > > > CVE-2021-43980 Apache Tomcat - Information Disclosure > > > > > > Kind regards, > > > Alex > > > > > > Le mer. 28 sept. 2022 à 18:45, Zowalla, Richard > > > <richard.zowa...@hs-heilbronn.de> a écrit : > > > > Hi all, > > > > > > > > our last 8.x release was in June and we have 22 pending > > > > updates/issues > > > > for 8.0.13. Mostly dependency updates (johnzon, dbcp2, myfaces, > > > > hsqldb, > > > > tomcat, jakarta faces), and some minor bugs (windows, jdk17+ > > > > related > > > > backports), see below. > > > > > > > > We might need to go through the 3rd party libs again and see, if > > > > there > > > > are additional updates we might want to include. > > > > > > > > Would be worth to do a release soon (Mid/End of October?), imho. > > > > > > > > Is there anything else we should include / patch before doing a > > > > 8.0.13? > > > > Any objections? > > > > > > > > Wdyt? > > > > > > > > Gruß > > > > Richard > > > > > > > > > > > > == Dependency upgrade > > > > > > > > [.compact] > > > > - link: > > > > https://issues.apache.org/jira/browse/TOMEE-3985[TOMEE-3985] > > > BatchEE 1.0.2 > > > > - link: > > > > https://issues.apache.org/jira/browse/TOMEE-3800[TOMEE-3800] > > > DBCP 2.9.0 > > > > - link: > > > > https://issues.apache.org/jira/browse/TOMEE-3986[TOMEE-3986] > > > Hibernate Integration 5.6.9.Final > > > > - link: > > > > https://issues.apache.org/jira/browse/TOMEE-4042[TOMEE-4042] > > > Jackson 2.13.4 > > > > - link: > > > > https://issues.apache.org/jira/browse/TOMEE-4020[TOMEE-4020] > > > Jakarta Faces 2.3.18 > > > > - link: > > > > https://issues.apache.org/jira/browse/TOMEE-4026[TOMEE-4026] > > > Johnzon 1.2.19 > > > > - link: > > > > https://issues.apache.org/jira/browse/TOMEE-4030[TOMEE-4030] > > > Log4J2 2.18.0 > > > > - link: > > > > https://issues.apache.org/jira/browse/TOMEE-3998[TOMEE-3998] > > > MyFaces 2.3.10 > > > > - link: > > > > https://issues.apache.org/jira/browse/TOMEE-4044[TOMEE-4044] > > > Snakeyaml 1.32 > > > > - link: > > > > https://issues.apache.org/jira/browse/TOMEE-4002[TOMEE-4002] > > > Tomcat 9.0.64 > > > > - link: > > > > https://issues.apache.org/jira/browse/TOMEE-4051[TOMEE-4051] > > > Tomcat 9.0.65 > > > > - link: > > > > https://issues.apache.org/jira/browse/TOMEE-4018[TOMEE-4018] > > > bcprov-jdk15on 1.70 > > > > == Bug > > > > > > > > [.compact] > > > > - link: > > > > https://issues.apache.org/jira/browse/TOMEE-4021[TOMEE-4021] > > > Unexpected ehcache 3.8.1 in tomee/lib > > > > - link: > > > > https://issues.apache.org/jira/browse/TOMEE-4014[TOMEE-4014] > > > Unable to see TomEE version in Tomcat home page with Java 17 > > > > - link: > > > > https://issues.apache.org/jira/browse/TOMEE-4019[TOMEE-4019] > > > HSQLDB 2.7.0 > > > > - link: > > > > https://issues.apache.org/jira/browse/TOMEE-3979[TOMEE-3979] > > > service.bat issue when using JRE_HOME on Windows > > > > - link: > > > > https://issues.apache.org/jira/browse/TOMEE-4041[TOMEE-4041] 4 > > > CVE Vulnerabilities in snakeyaml-1.30.jar > > > > - link: > > > > https://issues.apache.org/jira/browse/TOMEE-4001[TOMEE-4001] > > > CVE-2022-34305 displaying user provided data without filtering, > > > exposing a > > > XSS vulnerability > > > > == Improvement > > > > > > > > [.compact] > > > > - link: > > > > https://issues.apache.org/jira/browse/TOMEE-4000[TOMEE-4000] > > > Add security.txt to website > > > > - link: > > > > https://issues.apache.org/jira/browse/TOMEE-3878[TOMEE-3878] > > > Backport TOMEE-3877 to TomEE 8.x > > > > - link: > > > > https://issues.apache.org/jira/browse/TOMEE-3914[TOMEE-3914] > > > Spring 3 Dependencies in TomEE Root POM > > > > == Task > > > > > > > > [.compact] > > > > - link: > > > > https://issues.apache.org/jira/browse/TOMEE-4022[TOMEE-4022] > > > Move to Apache Rat > > > > == Fixed Common Vulnerabilities and Exposures (CVEs) > > > > > > > > [.compact] > > > > - link: > > > > https://issues.apache.org/jira/browse/TOMEE-4041[TOMEE-4041] 4 > > > CVE Vulnerabilities in snakeyaml-1.30.jar > > > > - link: > > > > https://issues.apache.org/jira/browse/TOMEE-4001[TOMEE-4001] > > > CVE-2022-34305 displaying user provided data without filtering, > > > exposing a > > > XSS vulnerability > > > >