Hi Alex, we can maybe get into the habit of realising more often (yes, I know: we discussed this over and over on the list...).
I was just copying from the VOTE template docs, which mention to write "first attempt" and so on... - so no regrets just copy & paste. I don't expect any suprises but we never know: I did some tests on some of our projects (jaxrs, jaxws, batche, ...) but I have no possibility to do large scale tests as you can do them ;-) - so happy to get some feedback. The CXF cleanup might be a candidate for regressions as we shipped older code under the covers of newer cxf versions and didn't notice that for some time now. Gruß Richard Am Dienstag, dem 11.10.2022 um 21:05 +0200 schrieb Alex The Rocker: > Hi Richard, > > Thanks for this quick TomEE 8.0.3 release after not so long > discussions! > I'll run some tests ASAP and then give my vote (non-binding). > Why do you mention "1st attempt"? Any regrets ? > > Alex > > Le mar. 11 oct. 2022 à 20:01, Richard Zowalla <r...@apache.org> a > écrit : > > Hi all, > > > > this is a first attempt at a vote for a release of Apache TomEE > > 8.0.13. > > > > It is a maintenance release with some bug fixes and dependencies > > upgrades. > > > > ############### > > > > Maven Repo: > > https://repository.apache.org/content/repositories/orgapachetomee-1207 > > > > <repositories> > > <repository> > > <id>tomee-8.0.13-release-test</id> > > <name>Testing TomEE 8.0.13 release candidate</name> > > <url> > > https://repository.apache.org/content/repositories/orgapachetomee-1207 > > </url> > > </repository> > > </repositories> > > > > ############### > > > > Binaries & Source: > > > > https://dist.apache.org/repos/dist/dev/tomee/staging-1207/tomee-8.0.13/ > > > > ############### > > > > Tag: > > > > https://github.com/apache/tomee/releases/tag/tomee-project-8.0.13 > > > > ############### > > > > Latest CI/CD build: > > > > https://ci-builds.apache.org/job/Tomee/job/tomee-8.x-build-full/226/ > > > > ############### > > > > Release notes: > > > > https://issues.apache.org/jira/secure/ReleaseNote.jspa?projectId=12312320&version=12351820 > > > > ############### > > > > Here is an adoc generated version of the changelog as well: > > > > == Dependency upgrade > > > > [.compact] > > - link: > > https://issues.apache.org/jira/browse/TOMEE-3985[TOMEE-3985] > > BatchEE 1.0.2 > > - link: > > https://issues.apache.org/jira/browse/TOMEE-4057[TOMEE-4057] > > CXF 3.4.8 > > - link: > > https://issues.apache.org/jira/browse/TOMEE-3800[TOMEE-3800] > > DBCP 2.9.0 > > - link: > > https://issues.apache.org/jira/browse/TOMEE-4059[TOMEE-4059] > > EclipseLink 2.7.11 > > - link: > > https://issues.apache.org/jira/browse/TOMEE-4063[TOMEE-4063] > > Geronimo Transaction Manager 3.1.5 > > - link: > > https://issues.apache.org/jira/browse/TOMEE-4019[TOMEE-4019] > > HSQLDB 2.7.0 > > - link: > > https://issues.apache.org/jira/browse/TOMEE-3986[TOMEE-3986] > > Hibernate Integration 5.6.9.Final > > - link: > > https://issues.apache.org/jira/browse/TOMEE-4042[TOMEE-4042] > > Jackson 2.13.4 > > - link: > > https://issues.apache.org/jira/browse/TOMEE-4067[TOMEE-4067] > > Jackson 2.14.0-rc1 > > - link: > > https://issues.apache.org/jira/browse/TOMEE-4020[TOMEE-4020] > > Jakarta Faces 2.3.18 > > - link: > > https://issues.apache.org/jira/browse/TOMEE-4026[TOMEE-4026] > > Johnzon 1.2.19 > > - link: > > https://issues.apache.org/jira/browse/TOMEE-4030[TOMEE-4030] > > Log4J2 2.18.0 > > - link: > > https://issues.apache.org/jira/browse/TOMEE-3998[TOMEE-3998] > > MyFaces 2.3.10 > > - link: > > https://issues.apache.org/jira/browse/TOMEE-4044[TOMEE-4044] > > Snakeyaml 1.32 > > - link: > > https://issues.apache.org/jira/browse/TOMEE-4054[TOMEE-4054] > > Snakeyaml 1.33 > > - link: > > https://issues.apache.org/jira/browse/TOMEE-4002[TOMEE-4002] > > Tomcat 9.0.64 > > - link: > > https://issues.apache.org/jira/browse/TOMEE-4051[TOMEE-4051] > > Tomcat 9.0.65 > > - link: > > https://issues.apache.org/jira/browse/TOMEE-4060[TOMEE-4060] > > Tomcat 9.0.67 > > - link: > > https://issues.apache.org/jira/browse/TOMEE-4087[TOMEE-4087] > > Tomcat 9.0.68 > > - link: > > https://issues.apache.org/jira/browse/TOMEE-4018[TOMEE-4018] > > bcprov-jdk15on 1.70 > > > > == New Feature > > > > [.compact] > > - link: > > https://issues.apache.org/jira/browse/TOMEE-3928[TOMEE-3928] > > Example for properties provider > > > > == Bug > > > > [.compact] > > - link: > > https://issues.apache.org/jira/browse/TOMEE-4021[TOMEE-4021] > > Unexpected ehcache 3.8.1 in tomee/lib > > - link: > > https://issues.apache.org/jira/browse/TOMEE-3850[TOMEE-3850] > > HTTP(S) connections are not reused > > - link: > > https://issues.apache.org/jira/browse/TOMEE-4014[TOMEE-4014] > > Unable to see TomEE version in Tomcat home page with Java 17 > > - link: > > https://issues.apache.org/jira/browse/TOMEE-3979[TOMEE-3979] > > service.bat issue when using JRE_HOME on Windows > > - link: > > https://issues.apache.org/jira/browse/TOMEE-4041[TOMEE-4041] 4 > > CVE Vulnerabilities in snakeyaml-1.30.jar > > - link: > > https://issues.apache.org/jira/browse/TOMEE-4001[TOMEE-4001] > > CVE-2022-34305 displaying user provided data without filtering, > > exposing a XSS vulnerability > > > > == Improvement > > > > [.compact] > > - link: > > https://issues.apache.org/jira/browse/TOMEE-3878[TOMEE-3878] > > Backport 'No interface view EJB proxies broken on JDK16+' [TOMEE- > > 3877] to TomEE 8.x > > > > == Task > > > > [.compact] > > - link: > > https://issues.apache.org/jira/browse/TOMEE-4064[TOMEE-4064] > > OpenJPA 3.2.2 (examples), EclipseLink 2.7.11 (examples), Derby > > 10.14.2.0 > > - link: > > https://issues.apache.org/jira/browse/TOMEE-4022[TOMEE-4022] > > Move to Apache Rat > > - link: > > https://issues.apache.org/jira/browse/TOMEE-4056[TOMEE-4056] > > Log4J2 2.19.0 > > - link: > > https://issues.apache.org/jira/browse/TOMEE-4058[TOMEE-4058] > > Update Krazo, DeltaSpike and Hibernate > > - link: > > https://issues.apache.org/jira/browse/TOMEE-3914[TOMEE-3914] > > Spring 3 Dependencies in TomEE Root POM > > - link: > > https://issues.apache.org/jira/browse/TOMEE-4088[TOMEE-4088] > > Add workaround for CVE-2022-41853 (hsqldb) > > > > == Documentation > > > > [.compact] > > - link: > > https://issues.apache.org/jira/browse/TOMEE-4023[TOMEE-4023] > > Comparison pages with wrong specs per profiles > > - link: > > https://issues.apache.org/jira/browse/TOMEE-3981[TOMEE-3981] > > update javadoc to reflect updates on Jakarta EE > > > > == Fixed Common Vulnerabilities and Exposures (CVEs) > > > > [.compact] > > - link: > > https://issues.apache.org/jira/browse/TOMEE-4041[TOMEE-4041] 4 > > CVE Vulnerabilities in snakeyaml-1.30.jar > > - link: > > https://issues.apache.org/jira/browse/TOMEE-4001[TOMEE-4001] > > CVE-2022-34305 displaying user provided data without filtering, > > exposing a XSS vulnerability > > - link: > > https://issues.apache.org/jira/browse/TOMEE-4088[TOMEE-4088] > > Add workaround for CVE-2022-41853 (hsqldb) > > > > ############### > > > > Here is the dependency diff from 8.0.12 to 8.0.13 created with > > David's > > new feature in our release tools: > > > > artifactId from to > > ------------------------------- ---------- ------------------- > > jackson-annotations 2.13.2 2.14.0-rc1 > > jackson-core 2.13.2 2.14.0-rc1 > > jackson-databind 2.13.2.2 2.14.0-rc1 > > jackson-dataformat-yaml 2.13.2 2.14.0-rc1 > > commons-cli 1.4 1.5.0 > > batchee-jbatch 1.0.1 1.0.2 > > commons-dbcp2 2.3.0 2.9.0 > > cxf-rt-bindings-soap 3.4.5 3.4.8 > > cxf-rt-bindings-xml 3.4.5 3.4.8 > > cxf-rt-frontend-jaxws 3.4.5 3.4.8 > > cxf-rt-frontend-simple 3.4.5 3.4.8 > > cxf-rt-management 3.4.5 3.4.8 > > cxf-rt-rs-extension-providers 3.4.5 3.4.8 > > cxf-rt-rs-extension-search 3.4.5 3.4.8 > > cxf-rt-rs-json-basic 3.4.5 3.4.8 > > cxf-rt-rs-mp-client 3.4.5 3.4.8 > > cxf-rt-rs-security-cors 3.4.5 3.4.8 > > cxf-rt-rs-security-jose 3.4.5 3.4.8 > > cxf-rt-rs-security-jose-jaxrs 3.4.5 3.4.8 > > cxf-rt-rs-security-oauth2 3.4.5 3.4.8 > > cxf-rt-rs-service-description 3.4.5 3.4.8 > > cxf-rt-rs-sse 3.4.5 3.4.8 > > cxf-rt-security 3.4.5 3.4.8 > > cxf-rt-security-saml 3.4.5 3.4.8 > > cxf-rt-ws-addr 3.4.5 3.4.8 > > cxf-rt-ws-policy 3.4.5 3.4.8 > > cxf-rt-ws-security 3.4.5 3.4.8 > > cxf-rt-wsdl 3.4.5 3.4.8 > > geronimo-connector 3.1.4 3.1.5 > > geronimo-transaction 3.1.4 3.1.5 > > johnzon-core 1.2.18 1.2.19 > > johnzon-jaxrs 1.2.18 1.2.19 > > johnzon-jsonb 1.2.18 1.2.19 > > johnzon-jsonp-strict 1.2.18 1.2.19 > > johnzon-mapper 1.2.18 1.2.19 > > myfaces-api 2.3.9 2.3.10 > > myfaces-impl 2.3.9 2.3.10 > > cxf-shade 8.0.12 8.0.13 > > taglibs-shade 8.0.12 8.0.13 > > tomee-bootstrap 8.0.12 8.0.13 > > bcprov-jdk15on 1.69 1.70 > > eclipselink 2.7.9 2.7.11 > > jakarta.faces 2.3.15 2.3.18 > > hsqldb 2.5.2 2.7.0 > > snakeyaml 1.30 1.33 > > > > ############### > > > > Please note: > > > > (1) CVE-2022-42003 (jackson-databind): Users are only affected, if > > 'UNWRAP_SINGLE_VALUE_ARRAYS' is set to enabled. Mitigation is > > included > > in 2.14.0-rc1 - as discussed in a separate thread, we are "ok" to > > ship > > a RC version. We aim to do a follow up release of TomEE 8.x soon. > > > > (2) CVE-2022-41853 (hsqldb): As v2.7.1 isn't available yet, TomEE > > sets > > "hsqldb.method_class_names" to an invalid value to mitigate the > > vulnerability. Users can override the property as needed. > > > > ############### > > > > > > Please VOTE > > > > [+1] go ship it > > [+0] meh, don't care > > [-1] stop, there is a ${showstopper} > > > > The VOTE is open for 72h or as long as needed. > > > > Gruß > > Richard > > > > > > > > > > > >
