Re: [VOTE] Apache TomEE 8.0.13 - First Attempt

Alex The Rocker Tue, 11 Oct 2022 12:22:58 -0700

+1 for more frequent releases (at least based on CVE with at least
high severity)
and yes, I have a relatively large test base ; stay tuned!


Le mar. 11 oct. 2022 à 21:16, Richard Zowalla <r...@apache.org> a écrit :
>
> Hi Alex,
>
> we can maybe get into the habit of realising more often (yes, I know:
> we discussed this over and over on the list...).
>
> I was just copying from the VOTE template docs, which mention to write
> "first attempt" and so on... - so no regrets just copy & paste.
>
> I don't expect any suprises but we never know: I did some tests on some
> of our projects (jaxrs, jaxws, batche, ...) but I have no possibility
> to do large scale tests as you can do them ;-) - so happy to get some
> feedback.
>
> The CXF cleanup might be a candidate for regressions as we shipped
> older code under the covers of newer cxf versions and didn't notice
> that for some time now.
>
> Gruß
> Richard
>
>
>
> Am Dienstag, dem 11.10.2022 um 21:05 +0200 schrieb Alex The Rocker:
> > Hi Richard,
> >
> > Thanks for this quick TomEE 8.0.3 release after not so long
> > discussions!
> > I'll run some tests ASAP and then give my vote (non-binding).
> > Why do you mention "1st attempt"? Any regrets ?
> >
> > Alex
> >
> > Le mar. 11 oct. 2022 à 20:01, Richard Zowalla <r...@apache.org> a
> > écrit :
> > > Hi all,
> > >
> > > this is a first attempt at a vote for a release of Apache TomEE
> > > 8.0.13.
> > >
> > > It is a maintenance release with some bug fixes and dependencies
> > > upgrades.
> > >
> > > ###############
> > >
> > > Maven Repo:
> > > https://repository.apache.org/content/repositories/orgapachetomee-1207
> > >
> > >   <repositories>
> > >     <repository>
> > >       <id>tomee-8.0.13-release-test</id>
> > >       <name>Testing TomEE 8.0.13 release candidate</name>
> > > <url>
> > > https://repository.apache.org/content/repositories/orgapachetomee-1207
> > > </url>
> > >     </repository>
> > >   </repositories>
> > >
> > > ###############
> > >
> > > Binaries & Source:
> > >
> > > https://dist.apache.org/repos/dist/dev/tomee/staging-1207/tomee-8.0.13/
> > >
> > > ###############
> > >
> > > Tag:
> > >
> > > https://github.com/apache/tomee/releases/tag/tomee-project-8.0.13
> > >
> > > ###############
> > >
> > > Latest CI/CD build:
> > >
> > > https://ci-builds.apache.org/job/Tomee/job/tomee-8.x-build-full/226/
> > >
> > > ###############
> > >
> > > Release notes:
> > >
> > > https://issues.apache.org/jira/secure/ReleaseNote.jspa?projectId=12312320&version=12351820
> > >
> > > ###############
> > >
> > > Here is an adoc generated version of the changelog as well:
> > >
> > > == Dependency upgrade
> > >
> > > [.compact]
> > >  - link:
> > > https://issues.apache.org/jira/browse/TOMEE-3985[TOMEE-3985]
> > > BatchEE 1.0.2
> > >  - link:
> > > https://issues.apache.org/jira/browse/TOMEE-4057[TOMEE-4057]
> > > CXF 3.4.8
> > >  - link:
> > > https://issues.apache.org/jira/browse/TOMEE-3800[TOMEE-3800]
> > > DBCP 2.9.0
> > >  - link:
> > > https://issues.apache.org/jira/browse/TOMEE-4059[TOMEE-4059]
> > > EclipseLink 2.7.11
> > >  - link:
> > > https://issues.apache.org/jira/browse/TOMEE-4063[TOMEE-4063]
> > > Geronimo Transaction Manager 3.1.5
> > >  - link:
> > > https://issues.apache.org/jira/browse/TOMEE-4019[TOMEE-4019]
> > > HSQLDB 2.7.0
> > >  - link:
> > > https://issues.apache.org/jira/browse/TOMEE-3986[TOMEE-3986]
> > > Hibernate Integration 5.6.9.Final
> > >  - link:
> > > https://issues.apache.org/jira/browse/TOMEE-4042[TOMEE-4042]
> > > Jackson 2.13.4
> > >  - link:
> > > https://issues.apache.org/jira/browse/TOMEE-4067[TOMEE-4067]
> > > Jackson 2.14.0-rc1
> > >  - link:
> > > https://issues.apache.org/jira/browse/TOMEE-4020[TOMEE-4020]
> > > Jakarta Faces 2.3.18
> > >  - link:
> > > https://issues.apache.org/jira/browse/TOMEE-4026[TOMEE-4026]
> > > Johnzon 1.2.19
> > >  - link:
> > > https://issues.apache.org/jira/browse/TOMEE-4030[TOMEE-4030]
> > > Log4J2 2.18.0
> > >  - link:
> > > https://issues.apache.org/jira/browse/TOMEE-3998[TOMEE-3998]
> > > MyFaces 2.3.10
> > >  - link:
> > > https://issues.apache.org/jira/browse/TOMEE-4044[TOMEE-4044]
> > > Snakeyaml 1.32
> > >  - link:
> > > https://issues.apache.org/jira/browse/TOMEE-4054[TOMEE-4054]
> > > Snakeyaml 1.33
> > >  - link:
> > > https://issues.apache.org/jira/browse/TOMEE-4002[TOMEE-4002]
> > > Tomcat 9.0.64
> > >  - link:
> > > https://issues.apache.org/jira/browse/TOMEE-4051[TOMEE-4051]
> > > Tomcat 9.0.65
> > >  - link:
> > > https://issues.apache.org/jira/browse/TOMEE-4060[TOMEE-4060]
> > > Tomcat 9.0.67
> > >  - link:
> > > https://issues.apache.org/jira/browse/TOMEE-4087[TOMEE-4087]
> > > Tomcat 9.0.68
> > >  - link:
> > > https://issues.apache.org/jira/browse/TOMEE-4018[TOMEE-4018]
> > > bcprov-jdk15on 1.70
> > >
> > > == New Feature
> > >
> > > [.compact]
> > >  - link:
> > > https://issues.apache.org/jira/browse/TOMEE-3928[TOMEE-3928]
> > > Example for properties provider
> > >
> > > == Bug
> > >
> > > [.compact]
> > >  - link:
> > > https://issues.apache.org/jira/browse/TOMEE-4021[TOMEE-4021]
> > > Unexpected ehcache 3.8.1 in tomee/lib
> > >  - link:
> > > https://issues.apache.org/jira/browse/TOMEE-3850[TOMEE-3850]
> > > HTTP(S) connections are not reused
> > >  - link:
> > > https://issues.apache.org/jira/browse/TOMEE-4014[TOMEE-4014]
> > > Unable to see TomEE version in Tomcat home page with Java 17
> > >  - link:
> > > https://issues.apache.org/jira/browse/TOMEE-3979[TOMEE-3979]
> > > service.bat issue when using JRE_HOME on Windows
> > >  - link:
> > > https://issues.apache.org/jira/browse/TOMEE-4041[TOMEE-4041] 4
> > > CVE Vulnerabilities in snakeyaml-1.30.jar
> > >  - link:
> > > https://issues.apache.org/jira/browse/TOMEE-4001[TOMEE-4001]
> > > CVE-2022-34305 displaying user provided data without filtering,
> > > exposing a XSS vulnerability
> > >
> > > == Improvement
> > >
> > > [.compact]
> > >  - link:
> > > https://issues.apache.org/jira/browse/TOMEE-3878[TOMEE-3878]
> > > Backport 'No interface view EJB proxies broken on JDK16+' [TOMEE-
> > > 3877] to TomEE 8.x
> > >
> > > == Task
> > >
> > > [.compact]
> > >  - link:
> > > https://issues.apache.org/jira/browse/TOMEE-4064[TOMEE-4064]
> > > OpenJPA 3.2.2 (examples), EclipseLink 2.7.11 (examples), Derby
> > > 10.14.2.0
> > >  - link:
> > > https://issues.apache.org/jira/browse/TOMEE-4022[TOMEE-4022]
> > > Move to Apache Rat
> > >  - link:
> > > https://issues.apache.org/jira/browse/TOMEE-4056[TOMEE-4056]
> > > Log4J2 2.19.0
> > >  - link:
> > > https://issues.apache.org/jira/browse/TOMEE-4058[TOMEE-4058]
> > > Update Krazo, DeltaSpike and Hibernate
> > >  - link:
> > > https://issues.apache.org/jira/browse/TOMEE-3914[TOMEE-3914]
> > > Spring 3 Dependencies in TomEE Root POM
> > >  - link:
> > > https://issues.apache.org/jira/browse/TOMEE-4088[TOMEE-4088]
> > > Add workaround for CVE-2022-41853 (hsqldb)
> > >
> > > == Documentation
> > >
> > > [.compact]
> > >  - link:
> > > https://issues.apache.org/jira/browse/TOMEE-4023[TOMEE-4023]
> > > Comparison pages with wrong specs per profiles
> > >  - link:
> > > https://issues.apache.org/jira/browse/TOMEE-3981[TOMEE-3981]
> > > update javadoc to reflect updates on Jakarta EE
> > >
> > > == Fixed Common Vulnerabilities and Exposures (CVEs)
> > >
> > > [.compact]
> > >  - link:
> > > https://issues.apache.org/jira/browse/TOMEE-4041[TOMEE-4041] 4
> > > CVE Vulnerabilities in snakeyaml-1.30.jar
> > >  - link:
> > > https://issues.apache.org/jira/browse/TOMEE-4001[TOMEE-4001]
> > > CVE-2022-34305 displaying user provided data without filtering,
> > > exposing a XSS vulnerability
> > >  - link:
> > > https://issues.apache.org/jira/browse/TOMEE-4088[TOMEE-4088]
> > > Add workaround for CVE-2022-41853 (hsqldb)
> > >
> > > ###############
> > >
> > > Here is the dependency diff from 8.0.12 to 8.0.13 created with
> > > David's
> > > new feature in our release tools:
> > >
> > >           artifactId               from            to
> > > ------------------------------- ---------- -------------------
> > >  jackson-annotations               2.13.2   2.14.0-rc1
> > >  jackson-core                      2.13.2   2.14.0-rc1
> > >  jackson-databind                2.13.2.2   2.14.0-rc1
> > >  jackson-dataformat-yaml           2.13.2   2.14.0-rc1
> > >  commons-cli                          1.4   1.5.0
> > >  batchee-jbatch                     1.0.1   1.0.2
> > >  commons-dbcp2                      2.3.0   2.9.0
> > >  cxf-rt-bindings-soap               3.4.5   3.4.8
> > >  cxf-rt-bindings-xml                3.4.5   3.4.8
> > >  cxf-rt-frontend-jaxws              3.4.5   3.4.8
> > >  cxf-rt-frontend-simple             3.4.5   3.4.8
> > >  cxf-rt-management                  3.4.5   3.4.8
> > >  cxf-rt-rs-extension-providers      3.4.5   3.4.8
> > >  cxf-rt-rs-extension-search         3.4.5   3.4.8
> > >  cxf-rt-rs-json-basic               3.4.5   3.4.8
> > >  cxf-rt-rs-mp-client                3.4.5   3.4.8
> > >  cxf-rt-rs-security-cors            3.4.5   3.4.8
> > >  cxf-rt-rs-security-jose            3.4.5   3.4.8
> > >  cxf-rt-rs-security-jose-jaxrs      3.4.5   3.4.8
> > >  cxf-rt-rs-security-oauth2          3.4.5   3.4.8
> > >  cxf-rt-rs-service-description      3.4.5   3.4.8
> > >  cxf-rt-rs-sse                      3.4.5   3.4.8
> > >  cxf-rt-security                    3.4.5   3.4.8
> > >  cxf-rt-security-saml               3.4.5   3.4.8
> > >  cxf-rt-ws-addr                     3.4.5   3.4.8
> > >  cxf-rt-ws-policy                   3.4.5   3.4.8
> > >  cxf-rt-ws-security                 3.4.5   3.4.8
> > >  cxf-rt-wsdl                        3.4.5   3.4.8
> > >  geronimo-connector                 3.1.4   3.1.5
> > >  geronimo-transaction               3.1.4   3.1.5
> > >  johnzon-core                      1.2.18   1.2.19
> > >  johnzon-jaxrs                     1.2.18   1.2.19
> > >  johnzon-jsonb                     1.2.18   1.2.19
> > >  johnzon-jsonp-strict              1.2.18   1.2.19
> > >  johnzon-mapper                    1.2.18   1.2.19
> > >  myfaces-api                        2.3.9   2.3.10
> > >  myfaces-impl                       2.3.9   2.3.10
> > >  cxf-shade                         8.0.12   8.0.13
> > >  taglibs-shade                     8.0.12   8.0.13
> > >  tomee-bootstrap                   8.0.12   8.0.13
> > >  bcprov-jdk15on                      1.69   1.70
> > >  eclipselink                        2.7.9   2.7.11
> > >  jakarta.faces                     2.3.15   2.3.18
> > >  hsqldb                             2.5.2   2.7.0
> > >  snakeyaml                           1.30   1.33
> > >
> > > ###############
> > >
> > > Please note:
> > >
> > > (1) CVE-2022-42003 (jackson-databind): Users are only affected, if
> > > 'UNWRAP_SINGLE_VALUE_ARRAYS' is set to enabled. Mitigation is
> > > included
> > > in 2.14.0-rc1 - as discussed in a separate thread, we are "ok" to
> > > ship
> > > a RC version. We aim to do a follow up release of TomEE 8.x soon.
> > >
> > > (2) CVE-2022-41853 (hsqldb): As v2.7.1 isn't available yet, TomEE
> > > sets
> > > "hsqldb.method_class_names" to an invalid value to mitigate the
> > > vulnerability. Users can override the property as needed.
> > >
> > > ###############
> > >
> > >
> > > Please VOTE
> > >
> > > [+1] go ship it
> > > [+0] meh, don't care
> > > [-1] stop, there is a ${showstopper}
> > >
> > > The VOTE is open for 72h or as long as needed.
> > >
> > > Gruß
> > > Richard
> > >
> > >
> > >
> > >
> > >
> > >
>

Re: [VOTE] Apache TomEE 8.0.13 - First Attempt

Reply via email to