Hi all, this is a first attempt at a vote for a release of Apache TomEE 8.0.13.
It is a maintenance release with some bug fixes and dependencies upgrades. ############### Maven Repo: https://repository.apache.org/content/repositories/orgapachetomee-1207 <repositories> <repository> <id>tomee-8.0.13-release-test</id> <name>Testing TomEE 8.0.13 release candidate</name> <url> https://repository.apache.org/content/repositories/orgapachetomee-1207 </url> </repository> </repositories> ############### Binaries & Source: https://dist.apache.org/repos/dist/dev/tomee/staging-1207/tomee-8.0.13/ ############### Tag: https://github.com/apache/tomee/releases/tag/tomee-project-8.0.13 ############### Latest CI/CD build: https://ci-builds.apache.org/job/Tomee/job/tomee-8.x-build-full/226/ ############### Release notes: https://issues.apache.org/jira/secure/ReleaseNote.jspa?projectId=12312320&version=12351820 ############### Here is an adoc generated version of the changelog as well: == Dependency upgrade [.compact] - link:https://issues.apache.org/jira/browse/TOMEE-3985[TOMEE-3985] BatchEE 1.0.2 - link:https://issues.apache.org/jira/browse/TOMEE-4057[TOMEE-4057] CXF 3.4.8 - link:https://issues.apache.org/jira/browse/TOMEE-3800[TOMEE-3800] DBCP 2.9.0 - link:https://issues.apache.org/jira/browse/TOMEE-4059[TOMEE-4059] EclipseLink 2.7.11 - link:https://issues.apache.org/jira/browse/TOMEE-4063[TOMEE-4063] Geronimo Transaction Manager 3.1.5 - link:https://issues.apache.org/jira/browse/TOMEE-4019[TOMEE-4019] HSQLDB 2.7.0 - link:https://issues.apache.org/jira/browse/TOMEE-3986[TOMEE-3986] Hibernate Integration 5.6.9.Final - link:https://issues.apache.org/jira/browse/TOMEE-4042[TOMEE-4042] Jackson 2.13.4 - link:https://issues.apache.org/jira/browse/TOMEE-4067[TOMEE-4067] Jackson 2.14.0-rc1 - link:https://issues.apache.org/jira/browse/TOMEE-4020[TOMEE-4020] Jakarta Faces 2.3.18 - link:https://issues.apache.org/jira/browse/TOMEE-4026[TOMEE-4026] Johnzon 1.2.19 - link:https://issues.apache.org/jira/browse/TOMEE-4030[TOMEE-4030] Log4J2 2.18.0 - link:https://issues.apache.org/jira/browse/TOMEE-3998[TOMEE-3998] MyFaces 2.3.10 - link:https://issues.apache.org/jira/browse/TOMEE-4044[TOMEE-4044] Snakeyaml 1.32 - link:https://issues.apache.org/jira/browse/TOMEE-4054[TOMEE-4054] Snakeyaml 1.33 - link:https://issues.apache.org/jira/browse/TOMEE-4002[TOMEE-4002] Tomcat 9.0.64 - link:https://issues.apache.org/jira/browse/TOMEE-4051[TOMEE-4051] Tomcat 9.0.65 - link:https://issues.apache.org/jira/browse/TOMEE-4060[TOMEE-4060] Tomcat 9.0.67 - link:https://issues.apache.org/jira/browse/TOMEE-4087[TOMEE-4087] Tomcat 9.0.68 - link:https://issues.apache.org/jira/browse/TOMEE-4018[TOMEE-4018] bcprov-jdk15on 1.70 == New Feature [.compact] - link:https://issues.apache.org/jira/browse/TOMEE-3928[TOMEE-3928] Example for properties provider == Bug [.compact] - link:https://issues.apache.org/jira/browse/TOMEE-4021[TOMEE-4021] Unexpected ehcache 3.8.1 in tomee/lib - link:https://issues.apache.org/jira/browse/TOMEE-3850[TOMEE-3850] HTTP(S) connections are not reused - link:https://issues.apache.org/jira/browse/TOMEE-4014[TOMEE-4014] Unable to see TomEE version in Tomcat home page with Java 17 - link:https://issues.apache.org/jira/browse/TOMEE-3979[TOMEE-3979] service.bat issue when using JRE_HOME on Windows - link:https://issues.apache.org/jira/browse/TOMEE-4041[TOMEE-4041] 4 CVE Vulnerabilities in snakeyaml-1.30.jar - link:https://issues.apache.org/jira/browse/TOMEE-4001[TOMEE-4001] CVE-2022-34305 displaying user provided data without filtering, exposing a XSS vulnerability == Improvement [.compact] - link:https://issues.apache.org/jira/browse/TOMEE-3878[TOMEE-3878] Backport 'No interface view EJB proxies broken on JDK16+' [TOMEE-3877] to TomEE 8.x == Task [.compact] - link:https://issues.apache.org/jira/browse/TOMEE-4064[TOMEE-4064] OpenJPA 3.2.2 (examples), EclipseLink 2.7.11 (examples), Derby 10.14.2.0 - link:https://issues.apache.org/jira/browse/TOMEE-4022[TOMEE-4022] Move to Apache Rat - link:https://issues.apache.org/jira/browse/TOMEE-4056[TOMEE-4056] Log4J2 2.19.0 - link:https://issues.apache.org/jira/browse/TOMEE-4058[TOMEE-4058] Update Krazo, DeltaSpike and Hibernate - link:https://issues.apache.org/jira/browse/TOMEE-3914[TOMEE-3914] Spring 3 Dependencies in TomEE Root POM - link:https://issues.apache.org/jira/browse/TOMEE-4088[TOMEE-4088] Add workaround for CVE-2022-41853 (hsqldb) == Documentation [.compact] - link:https://issues.apache.org/jira/browse/TOMEE-4023[TOMEE-4023] Comparison pages with wrong specs per profiles - link:https://issues.apache.org/jira/browse/TOMEE-3981[TOMEE-3981] update javadoc to reflect updates on Jakarta EE == Fixed Common Vulnerabilities and Exposures (CVEs) [.compact] - link:https://issues.apache.org/jira/browse/TOMEE-4041[TOMEE-4041] 4 CVE Vulnerabilities in snakeyaml-1.30.jar - link:https://issues.apache.org/jira/browse/TOMEE-4001[TOMEE-4001] CVE-2022-34305 displaying user provided data without filtering, exposing a XSS vulnerability - link:https://issues.apache.org/jira/browse/TOMEE-4088[TOMEE-4088] Add workaround for CVE-2022-41853 (hsqldb) ############### Here is the dependency diff from 8.0.12 to 8.0.13 created with David's new feature in our release tools: artifactId from to ------------------------------- ---------- ------------------- jackson-annotations 2.13.2 2.14.0-rc1 jackson-core 2.13.2 2.14.0-rc1 jackson-databind 2.13.2.2 2.14.0-rc1 jackson-dataformat-yaml 2.13.2 2.14.0-rc1 commons-cli 1.4 1.5.0 batchee-jbatch 1.0.1 1.0.2 commons-dbcp2 2.3.0 2.9.0 cxf-rt-bindings-soap 3.4.5 3.4.8 cxf-rt-bindings-xml 3.4.5 3.4.8 cxf-rt-frontend-jaxws 3.4.5 3.4.8 cxf-rt-frontend-simple 3.4.5 3.4.8 cxf-rt-management 3.4.5 3.4.8 cxf-rt-rs-extension-providers 3.4.5 3.4.8 cxf-rt-rs-extension-search 3.4.5 3.4.8 cxf-rt-rs-json-basic 3.4.5 3.4.8 cxf-rt-rs-mp-client 3.4.5 3.4.8 cxf-rt-rs-security-cors 3.4.5 3.4.8 cxf-rt-rs-security-jose 3.4.5 3.4.8 cxf-rt-rs-security-jose-jaxrs 3.4.5 3.4.8 cxf-rt-rs-security-oauth2 3.4.5 3.4.8 cxf-rt-rs-service-description 3.4.5 3.4.8 cxf-rt-rs-sse 3.4.5 3.4.8 cxf-rt-security 3.4.5 3.4.8 cxf-rt-security-saml 3.4.5 3.4.8 cxf-rt-ws-addr 3.4.5 3.4.8 cxf-rt-ws-policy 3.4.5 3.4.8 cxf-rt-ws-security 3.4.5 3.4.8 cxf-rt-wsdl 3.4.5 3.4.8 geronimo-connector 3.1.4 3.1.5 geronimo-transaction 3.1.4 3.1.5 johnzon-core 1.2.18 1.2.19 johnzon-jaxrs 1.2.18 1.2.19 johnzon-jsonb 1.2.18 1.2.19 johnzon-jsonp-strict 1.2.18 1.2.19 johnzon-mapper 1.2.18 1.2.19 myfaces-api 2.3.9 2.3.10 myfaces-impl 2.3.9 2.3.10 cxf-shade 8.0.12 8.0.13 taglibs-shade 8.0.12 8.0.13 tomee-bootstrap 8.0.12 8.0.13 bcprov-jdk15on 1.69 1.70 eclipselink 2.7.9 2.7.11 jakarta.faces 2.3.15 2.3.18 hsqldb 2.5.2 2.7.0 snakeyaml 1.30 1.33 ############### Please note: (1) CVE-2022-42003 (jackson-databind): Users are only affected, if 'UNWRAP_SINGLE_VALUE_ARRAYS' is set to enabled. Mitigation is included in 2.14.0-rc1 - as discussed in a separate thread, we are "ok" to ship a RC version. We aim to do a follow up release of TomEE 8.x soon. (2) CVE-2022-41853 (hsqldb): As v2.7.1 isn't available yet, TomEE sets "hsqldb.method_class_names" to an invalid value to mitigate the vulnerability. Users can override the property as needed. ############### Please VOTE [+1] go ship it [+0] meh, don't care [-1] stop, there is a ${showstopper} The VOTE is open for 72h or as long as needed. Gruß Richard
