Hi Richard, I reviewed the PR and it looks good, so I don't see any reason why we would not merge it. Good point with the security scanners, we need to make sure it's somewhere in the release notes, and in our website if possible.
Ok for a 9.1.0 because it's not only a patch, we have dependency upgrades and our patching you just added. -- Jean-Louis Monteiro http://twitter.com/jlouismonteiro http://www.tomitribe.com On Tue, Apr 25, 2023 at 10:07 AM Richard Zowalla <rich...@zowalla.com> wrote: > Hi, > > I've ported the cve-related changes for 10.0.x in [1]. > If we want to do 9.0.1 / 9.1.0 (whatever we want to name it), we should > integrate these change, so happy to have some eyes on it. > > Patching Tomcat inside TomEE will most likely confuse security > scanners, so we would need to add a disclaimer on the download pages to > state, that we backported the cve patches. > > I am still +1 for a release as we (at university) have some internal > webapps already running on 9.0 (so I and our CISO would be more than > happy to get a "official" patched version). > > Don't think that we should than do more than necessary on 9.0.x / 9.1.x > until we get a flying 10 alpha/milestone but as we didn't declare it > eol, we should imho provide some sort of patched version rather sooner > than later. > > Just my 2 cents ;-) > > Gruß > Richard > > > > > > [1] https://github.com/apache/tomee/pull/1033 > > Am Dienstag, dem 18.04.2023 um 11:49 +0200 schrieb Jean-Louis Monteiro: > > Thanks Swell for providing more information on the consequences/side > > effects. > > This helps. > > > > I'd say it depends how fast we can get a 10.0 > > > > -- > > Jean-Louis Monteiro > > http://twitter.com/jlouismonteiro > > http://www.tomitribe.com > > > > > > On Tue, Apr 18, 2023 at 11:38 AM Swell <souheil.sul...@gmail.com> > > wrote: > > > > > Fixing cve should have priority over tck results, right ? That said > > > do we > > > want to maintain efforts on 9.1 or focus our resources and time on > > > 10.0 ? > > > > > > On the other hand, If we upgrade TomEE 9 with tomcat 10.1 we loose > > > a status > > > method of servlet api used by EE9 versions of resteasy/jersey/etc. > > > Resulting in a no such method exception. That means users then must > > > upgrade > > > faulty dependencies to their EE10 equivalent. > > > > > > It will feel more natural to users to use a EE10 TomEE with EE10 > > > dependencies. Even it being milestone/alpha. > > > > > > -1 for a TomEE 9 release (mainly because tomcat 10.0 is EOL) > > > > > > My two cents … have a nice week! > > > Swell > > > > > > On Tue 18 Apr 2023 at 11:02, Richard Zowalla <r...@apache.org> > > > wrote: > > > > > > > Hi, > > > > > > > > I am +1 for it, but we need to decide, if we want to port the > > > > commons > > > > fileupload cve to tomcat 10.0.27 or if we upgrade tp 10.1.x (and > > > > loose > > > > EE9.1 tck compliance). > > > > > > > > Gruß > > > > Richard > > > > > > > > > > > > Am Dienstag, dem 18.04.2023 um 10:01 +0200 schrieb Jean-Louis > > > > Monteiro: > > > > > Hi all, > > > > > > > > > > Looks like our backlog is starting to grow. We've done quite a > > > > > lot of > > > > > updates and I was wondering if we should do a release for > > > > > 9.1.0? > > > > > > > > > > Note that there is an issue to fix before with the API Uber jar > > > > > where > > > > > the > > > > > tomcat classifier has the same content as the non tomcat > > > > > classifier. > > > > > This > > > > > was meant to not be the case, so in Tomcat we would use the API > > > > > jars > > > > > Tomcat > > > > > is providing. > > > > > > > > > > See https://issues.apache.org/jira/browse/TOMEE-4199 > > > > > > > > > > Regards > > > > > > > > > > -- > > > > > Jean-Louis Monteiro > > > > > http://twitter.com/jlouismonteiro > > > > > http://www.tomitribe.com > > > > > > > > > > > > >
