Hi, +1
Thanks On Sun, Oct 23, 2022, 08:29 Richard Zowalla <r...@apache.org> wrote: > Any more votes? > > Am Dienstag, dem 11.10.2022 um 19:59 +0200 schrieb Richard Zowalla: > > Hi all, > > > > this is a first attempt at a vote for a release of Apache TomEE > > 8.0.13. > > > > It is a maintenance release with some bug fixes and dependencies > > upgrades. > > > > ############### > > > > Maven Repo: > > https://repository.apache.org/content/repositories/orgapachetomee-1207 > > > > <repositories> > > <repository> > > <id>tomee-8.0.13-release-test</id> > > <name>Testing TomEE 8.0.13 release candidate</name> > > <url> > > https://repository.apache.org/content/repositories/orgapachetomee-1207 > > </url> > > </repository> > > </repositories> > > > > ############### > > > > Binaries & Source: > > > > https://dist.apache.org/repos/dist/dev/tomee/staging-1207/tomee-8.0.13/ > > > > ############### > > > > Tag: > > > > https://github.com/apache/tomee/releases/tag/tomee-project-8.0.13 > > > > ############### > > > > Latest CI/CD build: > > > > https://ci-builds.apache.org/job/Tomee/job/tomee-8.x-build-full/226/ > > > > ############### > > > > Release notes: > > > > > https://issues.apache.org/jira/secure/ReleaseNote.jspa?projectId=12312320&version=12351820 > > > > ############### > > > > Here is an adoc generated version of the changelog as well: > > > > == Dependency upgrade > > > > [.compact] > > - link:https://issues.apache.org/jira/browse/TOMEE-3985[TOMEE-3985] > > BatchEE 1.0.2 > > - link:https://issues.apache.org/jira/browse/TOMEE-4057[TOMEE-4057] > > CXF 3.4.8 > > - link:https://issues.apache.org/jira/browse/TOMEE-3800[TOMEE-3800] > > DBCP 2.9.0 > > - link:https://issues.apache.org/jira/browse/TOMEE-4059[TOMEE-4059] > > EclipseLink 2.7.11 > > - link:https://issues.apache.org/jira/browse/TOMEE-4063[TOMEE-4063] > > Geronimo Transaction Manager 3.1.5 > > - link:https://issues.apache.org/jira/browse/TOMEE-4019[TOMEE-4019] > > HSQLDB 2.7.0 > > - link:https://issues.apache.org/jira/browse/TOMEE-3986[TOMEE-3986] > > Hibernate Integration 5.6.9.Final > > - link:https://issues.apache.org/jira/browse/TOMEE-4042[TOMEE-4042] > > Jackson 2.13.4 > > - link:https://issues.apache.org/jira/browse/TOMEE-4067[TOMEE-4067] > > Jackson 2.14.0-rc1 > > - link:https://issues.apache.org/jira/browse/TOMEE-4020[TOMEE-4020] > > Jakarta Faces 2.3.18 > > - link:https://issues.apache.org/jira/browse/TOMEE-4026[TOMEE-4026] > > Johnzon 1.2.19 > > - link:https://issues.apache.org/jira/browse/TOMEE-4030[TOMEE-4030] > > Log4J2 2.18.0 > > - link:https://issues.apache.org/jira/browse/TOMEE-3998[TOMEE-3998] > > MyFaces 2.3.10 > > - link:https://issues.apache.org/jira/browse/TOMEE-4044[TOMEE-4044] > > Snakeyaml 1.32 > > - link:https://issues.apache.org/jira/browse/TOMEE-4054[TOMEE-4054] > > Snakeyaml 1.33 > > - link:https://issues.apache.org/jira/browse/TOMEE-4002[TOMEE-4002] > > Tomcat 9.0.64 > > - link:https://issues.apache.org/jira/browse/TOMEE-4051[TOMEE-4051] > > Tomcat 9.0.65 > > - link:https://issues.apache.org/jira/browse/TOMEE-4060[TOMEE-4060] > > Tomcat 9.0.67 > > - link:https://issues.apache.org/jira/browse/TOMEE-4087[TOMEE-4087] > > Tomcat 9.0.68 > > - link:https://issues.apache.org/jira/browse/TOMEE-4018[TOMEE-4018] > > bcprov-jdk15on 1.70 > > > > == New Feature > > > > [.compact] > > - link:https://issues.apache.org/jira/browse/TOMEE-3928[TOMEE-3928] > > Example for properties provider > > > > == Bug > > > > [.compact] > > - link:https://issues.apache.org/jira/browse/TOMEE-4021[TOMEE-4021] > > Unexpected ehcache 3.8.1 in tomee/lib > > - link:https://issues.apache.org/jira/browse/TOMEE-3850[TOMEE-3850] > > HTTP(S) connections are not reused > > - link:https://issues.apache.org/jira/browse/TOMEE-4014[TOMEE-4014] > > Unable to see TomEE version in Tomcat home page with Java 17 > > - link:https://issues.apache.org/jira/browse/TOMEE-3979[TOMEE-3979] > > service.bat issue when using JRE_HOME on Windows > > - link:https://issues.apache.org/jira/browse/TOMEE-4041[TOMEE-4041] > > 4 > > CVE Vulnerabilities in snakeyaml-1.30.jar > > - link:https://issues.apache.org/jira/browse/TOMEE-4001[TOMEE-4001] > > CVE-2022-34305 displaying user provided data without filtering, > > exposing a XSS vulnerability > > > > == Improvement > > > > [.compact] > > - link:https://issues.apache.org/jira/browse/TOMEE-3878[TOMEE-3878] > > Backport 'No interface view EJB proxies broken on JDK16+' [TOMEE- > > 3877] to TomEE 8.x > > > > == Task > > > > [.compact] > > - link:https://issues.apache.org/jira/browse/TOMEE-4064[TOMEE-4064] > > OpenJPA 3.2.2 (examples), EclipseLink 2.7.11 (examples), Derby > > 10.14.2.0 > > - link:https://issues.apache.org/jira/browse/TOMEE-4022[TOMEE-4022] > > Move to Apache Rat > > - link:https://issues.apache.org/jira/browse/TOMEE-4056[TOMEE-4056] > > Log4J2 2.19.0 > > - link:https://issues.apache.org/jira/browse/TOMEE-4058[TOMEE-4058] > > Update Krazo, DeltaSpike and Hibernate > > - link:https://issues.apache.org/jira/browse/TOMEE-3914[TOMEE-3914] > > Spring 3 Dependencies in TomEE Root POM > > - link:https://issues.apache.org/jira/browse/TOMEE-4088[TOMEE-4088] > > Add workaround for CVE-2022-41853 (hsqldb) > > > > == Documentation > > > > [.compact] > > - link:https://issues.apache.org/jira/browse/TOMEE-4023[TOMEE-4023] > > Comparison pages with wrong specs per profiles > > - link:https://issues.apache.org/jira/browse/TOMEE-3981[TOMEE-3981] > > update javadoc to reflect updates on Jakarta EE > > > > == Fixed Common Vulnerabilities and Exposures (CVEs) > > > > [.compact] > > - link:https://issues.apache.org/jira/browse/TOMEE-4041[TOMEE-4041] > > 4 > > CVE Vulnerabilities in snakeyaml-1.30.jar > > - link:https://issues.apache.org/jira/browse/TOMEE-4001[TOMEE-4001] > > CVE-2022-34305 displaying user provided data without filtering, > > exposing a XSS vulnerability > > - link:https://issues.apache.org/jira/browse/TOMEE-4088[TOMEE-4088] > > Add workaround for CVE-2022-41853 (hsqldb) > > > > ############### > > > > Here is the dependency diff from 8.0.12 to 8.0.13 created with > > David's > > new feature in our release tools: > > > > artifactId from to > > ------------------------------- ---------- ------------------- > > jackson-annotations 2.13.2 2.14.0-rc1 > > jackson-core 2.13.2 2.14.0-rc1 > > jackson-databind 2.13.2.2 2.14.0-rc1 > > jackson-dataformat-yaml 2.13.2 2.14.0-rc1 > > commons-cli 1.4 1.5.0 > > batchee-jbatch 1.0.1 1.0.2 > > commons-dbcp2 2.3.0 2.9.0 > > cxf-rt-bindings-soap 3.4.5 3.4.8 > > cxf-rt-bindings-xml 3.4.5 3.4.8 > > cxf-rt-frontend-jaxws 3.4.5 3.4.8 > > cxf-rt-frontend-simple 3.4.5 3.4.8 > > cxf-rt-management 3.4.5 3.4.8 > > cxf-rt-rs-extension-providers 3.4.5 3.4.8 > > cxf-rt-rs-extension-search 3.4.5 3.4.8 > > cxf-rt-rs-json-basic 3.4.5 3.4.8 > > cxf-rt-rs-mp-client 3.4.5 3.4.8 > > cxf-rt-rs-security-cors 3.4.5 3.4.8 > > cxf-rt-rs-security-jose 3.4.5 3.4.8 > > cxf-rt-rs-security-jose-jaxrs 3.4.5 3.4.8 > > cxf-rt-rs-security-oauth2 3.4.5 3.4.8 > > cxf-rt-rs-service-description 3.4.5 3.4.8 > > cxf-rt-rs-sse 3.4.5 3.4.8 > > cxf-rt-security 3.4.5 3.4.8 > > cxf-rt-security-saml 3.4.5 3.4.8 > > cxf-rt-ws-addr 3.4.5 3.4.8 > > cxf-rt-ws-policy 3.4.5 3.4.8 > > cxf-rt-ws-security 3.4.5 3.4.8 > > cxf-rt-wsdl 3.4.5 3.4.8 > > geronimo-connector 3.1.4 3.1.5 > > geronimo-transaction 3.1.4 3.1.5 > > johnzon-core 1.2.18 1.2.19 > > johnzon-jaxrs 1.2.18 1.2.19 > > johnzon-jsonb 1.2.18 1.2.19 > > johnzon-jsonp-strict 1.2.18 1.2.19 > > johnzon-mapper 1.2.18 1.2.19 > > myfaces-api 2.3.9 2.3.10 > > myfaces-impl 2.3.9 2.3.10 > > cxf-shade 8.0.12 8.0.13 > > taglibs-shade 8.0.12 8.0.13 > > tomee-bootstrap 8.0.12 8.0.13 > > bcprov-jdk15on 1.69 1.70 > > eclipselink 2.7.9 2.7.11 > > jakarta.faces 2.3.15 2.3.18 > > hsqldb 2.5.2 2.7.0 > > snakeyaml 1.30 1.33 > > > > ############### > > > > Please note: > > > > (1) CVE-2022-42003 (jackson-databind): Users are only affected, if > > 'UNWRAP_SINGLE_VALUE_ARRAYS' is set to enabled. Mitigation is > > included > > in 2.14.0-rc1 - as discussed in a separate thread, we are "ok" to > > ship > > a RC version. We aim to do a follow up release of TomEE 8.x soon. > > > > (2) CVE-2022-41853 (hsqldb): As v2.7.1 isn't available yet, TomEE > > sets > > "hsqldb.method_class_names" to an invalid value to mitigate the > > vulnerability. Users can override the property as needed. > > > > ############### > > > > > > Please VOTE > > > > [+1] go ship it > > [+0] meh, don't care > > [-1] stop, there is a ${showstopper} > > > > The VOTE is open for 72h or as long as needed. > > > > Gruß > > Richard > > > > > > > > > > > > > >