+1, we did not yet ship the fixes for the CVE, good to have them shipped
On Tue, 6 Dec 2022 at 15:47, Richard Zowalla <r...@apache.org> wrote: > Hi all, > > We have some dependency updates (tomcat, cxf, hsqldb) and some CVE > related fixes (woodstox, shaded bcel, ...). > > I was thinking about having 8.0.14 before we all get too stressed with > christmas, etc. and no one has time to review / test a 8.0.14 RC. > > So my questions are: > > - What is the community's opionion regarding a 8.0.14 before christmas? > - Are we missing any important version upgrades? Any show stoppers? > > Here are the current changes in Jira > > https://issues.apache.org/jira/projects/TOMEE/versions/12352390 > > and here is a list in plain text without the need to login: > > == Dependency upgrade > > [.compact] > - link:https://issues.apache.org/jira/browse/TOMEE-4100[TOMEE-4100] X > Bean 4.22 > - link:https://issues.apache.org/jira/browse/TOMEE-4118[TOMEE-4118] > CXF 3.4.9 > - link:https://issues.apache.org/jira/browse/TOMEE-4086[TOMEE-4086] > HSQLDB 2.7.1 > - link:https://issues.apache.org/jira/browse/TOMEE-4107[TOMEE-4107] > Jackson 2.14.0 > - link:https://issues.apache.org/jira/browse/TOMEE-4116[TOMEE-4116] > Tomcat 9.0.69 > - link:https://issues.apache.org/jira/browse/TOMEE-4121[TOMEE-4121] > Tomcat 9.0.70 > - link:https://issues.apache.org/jira/browse/TOMEE-4109[TOMEE-4109] > Velocity 2.3 > - link:https://issues.apache.org/jira/browse/TOMEE-4110[TOMEE-4110] > Woodstox 6.4.0 (CVE-2022-40152) > - link:https://issues.apache.org/jira/browse/TOMEE-4111[TOMEE-4111] > bcel component > - link:https://issues.apache.org/jira/browse/TOMEE-4094[TOMEE-4094] > jackson 2.14.0-rc2 > - link:https://issues.apache.org/jira/browse/TOMEE-4103[TOMEE-4103] > woodstox-core > <https://issues.apache.org/jira/browse/TOMEE-4103%5BTOMEE-4103%5Dwoodstox-core> > mitigate CVE-2022-40153 > > == Bug > > [.compact] > - link:https://issues.apache.org/jira/browse/TOMEE-4122[TOMEE-4122] > Performance Regression in bean resolution in EAR files > - link:https://issues.apache.org/jira/browse/TOMEE-4101[TOMEE-4101] > Typo with EL22Adaptor implementation in openwebbeans.properties > - link:https://issues.apache.org/jira/browse/TOMEE-4102[TOMEE-4102] > TomEE logs SEVERE: Expected ContextBinding to have the method > getThreadName() > - link:https://issues.apache.org/jira/browse/TOMEE-4014[TOMEE-4014] > Unable to see TomEE version in Tomcat home page with Java 17 > - link:https://issues.apache.org/jira/browse/TOMEE-4106[TOMEE-4106] > TomEE version no longer appearing at default manager page > > == Documentation > > [.compact] > - link:https://issues.apache.org/jira/browse/TOMEE-4104[TOMEE-4104] > Documentation Website: XA DataSource Configuration: Bug in MySQL Sample > Code > > == Fixed Common Vulnerabilities and Exposures (CVEs) > > [.compact] > - link:https://issues.apache.org/jira/browse/TOMEE-4086[TOMEE-4086] > HSQLDB 2.7.1 > - link:https://issues.apache.org/jira/browse/TOMEE-4111[TOMEE-4111] > Upgrade bcel component in TomEE > - link:https://issues.apache.org/jira/browse/TOMEE-4103[TOMEE-4103] > Update woodstox-core to mitigate CVE-2022-40153 > > Gruß > Richard > >
