also created 2 issues for further dependency upgrades: https://issues.apache.org/jira/browse/TOMEE-4130 https://issues.apache.org/jira/browse/TOMEE-4129
is there a reason we dont have the github dependabot on master and 8.0x? Am Do., 22. Dez. 2022 um 15:07 Uhr schrieb Thomas Andraschko < andraschko.tho...@gmail.com>: > +1 for this as it will fix the new CXF CVE > > Am Mi., 21. Dez. 2022 um 11:03 Uhr schrieb Richard Zowalla < > r...@apache.org>: > >> To follow up on that: >> >> I had a quick conversation with Jon about that topic. >> We need to fix TOMEE-4014 (regarding the keep.version property, see >> [1]) before we can bring up a release vote. >> >> However, effort / focus is currently on getting 9.0 Final out of the >> door and fixing / work on the remaining 2 TCK failures. If we have it >> up for vote, we can (most certainly) bring up a 8.0.14 for vote. >> >> Gruß >> Richard >> >> [1] https://github.com/apache/tomee/pull/993 >> >> Am Dienstag, dem 06.12.2022 um 16:35 +0000 schrieb Wiesner, Martin: >> > My vote: >> > +1 >> > >> > -- >> > Best >> > Martin >> > >> > > Am 06.12.2022 um 16:25 schrieb Jean-Louis Monteiro < >> > > jlmonte...@tomitribe.com>: >> > > >> > > I'm not -1 >> > > >> > > But I'd definitely favor working on getting 9.0.0 final so we can >> > > switch to >> > > Jakarta EE 10 and MicroProfile 6.0 >> > > >> > > My vote: 0 >> > > >> > > Le mar. 6 déc. 2022, 16:11, Swell <souheil.sul...@gmail.com> a >> > > écrit : >> > > >> > > > +1, we did not yet ship the fixes for the CVE, good to have them >> > > > shipped >> > > > >> > > > >> > > > On Tue, 6 Dec 2022 at 15:47, Richard Zowalla <r...@apache.org> >> > > > wrote: >> > > > >> > > > > Hi all, >> > > > > >> > > > > We have some dependency updates (tomcat, cxf, hsqldb) and some >> > > > > CVE >> > > > > related fixes (woodstox, shaded bcel, ...). >> > > > > >> > > > > I was thinking about having 8.0.14 before we all get too >> > > > > stressed with >> > > > > christmas, etc. and no one has time to review / test a 8.0.14 >> > > > > RC. >> > > > > >> > > > > So my questions are: >> > > > > >> > > > > - What is the community's opionion regarding a 8.0.14 before >> > > > > christmas? >> > > > > - Are we missing any important version upgrades? Any show >> > > > > stoppers? >> > > > > >> > > > > Here are the current changes in Jira >> > > > > >> > > > > https://issues.apache.org/jira/projects/TOMEE/versions/12352390 >> > > > > >> > > > > and here is a list in plain text without the need to login: >> > > > > >> > > > > == Dependency upgrade >> > > > > >> > > > > [.compact] >> > > > > - link: >> > > > > https://issues.apache.org/jira/browse/TOMEE-4100[TOMEE-4100] X >> > > > > Bean 4.22 >> > > > > - link: >> > > > > https://issues.apache.org/jira/browse/TOMEE-4118[TOMEE-4118] >> > > > > CXF 3.4.9 >> > > > > - link: >> > > > > https://issues.apache.org/jira/browse/TOMEE-4086[TOMEE-4086] >> > > > > HSQLDB 2.7.1 >> > > > > - link: >> > > > > https://issues.apache.org/jira/browse/TOMEE-4107[TOMEE-4107] >> > > > > Jackson 2.14.0 >> > > > > - link: >> > > > > https://issues.apache.org/jira/browse/TOMEE-4116[TOMEE-4116] >> > > > > Tomcat 9.0.69 >> > > > > - link: >> > > > > https://issues.apache.org/jira/browse/TOMEE-4121[TOMEE-4121] >> > > > > Tomcat 9.0.70 >> > > > > - link: >> > > > > https://issues.apache.org/jira/browse/TOMEE-4109[TOMEE-4109] >> > > > > Velocity 2.3 >> > > > > - link: >> > > > > https://issues.apache.org/jira/browse/TOMEE-4110[TOMEE-4110] >> > > > > Woodstox 6.4.0 (CVE-2022-40152) >> > > > > - link: >> > > > > https://issues.apache.org/jira/browse/TOMEE-4111[TOMEE-4111] >> > > > > bcel component >> > > > > - link: >> > > > > https://issues.apache.org/jira/browse/TOMEE-4094[TOMEE-4094] >> > > > > jackson 2.14.0-rc2 >> > > > > - link: >> > > > > https://issues.apache.org/jira/browse/TOMEE-4103[TOMEE-4103] >> > > > > woodstox-core >> > > > > < >> > > > >> https://issues.apache.org/jira/browse/TOMEE-4103%5BTOMEE-4103%5Dwoodstox-core >> > > > > mitigate CVE-2022-40153 >> > > > > >> > > > > == Bug >> > > > > >> > > > > [.compact] >> > > > > - link: >> > > > > https://issues.apache.org/jira/browse/TOMEE-4122[TOMEE-4122] >> > > > > Performance Regression in bean resolution in EAR files >> > > > > - link: >> > > > > https://issues.apache.org/jira/browse/TOMEE-4101[TOMEE-4101] >> > > > > Typo with EL22Adaptor implementation in openwebbeans.properties >> > > > > - link: >> > > > > https://issues.apache.org/jira/browse/TOMEE-4102[TOMEE-4102] >> > > > > TomEE logs SEVERE: Expected ContextBinding to have the method >> > > > > getThreadName() >> > > > > - link: >> > > > > https://issues.apache.org/jira/browse/TOMEE-4014[TOMEE-4014] >> > > > > Unable to see TomEE version in Tomcat home page with Java 17 >> > > > > - link: >> > > > > https://issues.apache.org/jira/browse/TOMEE-4106[TOMEE-4106] >> > > > > TomEE version no longer appearing at default manager page >> > > > > >> > > > > == Documentation >> > > > > >> > > > > [.compact] >> > > > > - link: >> > > > > https://issues.apache.org/jira/browse/TOMEE-4104[TOMEE-4104] >> > > > > Documentation Website: XA DataSource Configuration: Bug in >> > > > > MySQL Sample >> > > > > Code >> > > > > >> > > > > == Fixed Common Vulnerabilities and Exposures (CVEs) >> > > > > >> > > > > [.compact] >> > > > > - link: >> > > > > https://issues.apache.org/jira/browse/TOMEE-4086[TOMEE-4086] >> > > > > HSQLDB 2.7.1 >> > > > > - link: >> > > > > https://issues.apache.org/jira/browse/TOMEE-4111[TOMEE-4111] >> > > > > Upgrade bcel component in TomEE >> > > > > - link: >> > > > > https://issues.apache.org/jira/browse/TOMEE-4103[TOMEE-4103] >> > > > > Update woodstox-core to mitigate CVE-2022-40153 >> > > > > >> > > > > Gruß >> > > > > Richard >> > > > > >> > > > > >> >>
