Looking in the distribution I don't see any of these jars then. Do you agree?
On Wed, Oct 11, 2023 at 11:11 AM Richard Zowalla <[email protected]> wrote: > Some of these dependencies aren't shipped with the TomEE distribution. > Best way to check is to actually look through /lib > > > > Am 11. Oktober 2023 16:56:27 MESZ schrieb Jamie Johnson <[email protected] > >: > >There are other vulnerabilities (pulled from https://osv.dev/) that can > be > >addressed, but need to be reviewed. The format below is dependency > >current_version (fix_version). > > > >org.apache.httpcomponents:httpclient 4.2.2 (>= 4.5.13) > >GHSA-2x83-r56g-cv47 (4.2.3), GHSA-7r82-7xv7-xcpj > >(4.5.13), GHSA-fmj5-wv96-r2ch (4.3.6), GHSA-cfh5-3ghh-wfjx (4.3.5) > > > >xalan:xalan 2.7.2 (2.7.3) > >GHSA-9339-86wc-4qgf (2.7.3) > > > >org.apache.commons:commons-compress 1.14 (>=1.24.0) > >GHSA-hrmr-f5m6-m9pq (1.18), GHSA-xqfj-vm6h-2x34 (1.22), > GHSA-h436-432x-8fvx > >(1.16), GHSA-crv7-7245-f45f (1.21), GHSA-mc84-pj99-q6hh > >(1.21), GHSA-7hfm-57qf-j43q (1.21), GHSA-cgwf-w82q-5jrr (1.24.0) > > > >org.eclipse.jetty:jetty-server 9.4.49.v20220914 (9.4.51.v20230217) > >GHSA-qw69-rqj8-6qw8 (9.4.51.v20230217), GHSA-p26g-97m4-6q7c > >(9.4.51.v20230217) > > > >org.eclipse.jetty:jetty-http 9.4.49.v20220914 (>=9.4.53) > >GHSA-hmr7-m48g-48f6 (9.4.52), GHSA-wgh7-54f2-x98r (9.4.53) > > > >org.eclipse.jetty:jetty-servlets 9.4.49.v20220914 (9.4.53) > >GHSA-3gh6-v5v9-6v9j (9.4.53) > > > >org.apache.sshd:sshd-core 2.1.0 (>=2.10.0) > >GHSA-9279-7hph-r3xw (2.7.0), GHSA-fhw8-8j55-vwgq > >(2.9.2), GHSA-mjmq-gwgm-5qhm (2.10.0) > > > >com.google.code.gson:gson 2.2.4 (2.8.9) > >GHSA-4jrv-ppp4-jm57 (2.8.9) > > > >org.webjars:handlebars 1.2.1 (4.7.7) > >GHSA-f2jv-r9rf-7988 (4.7.7) > > > >org.apache.ivy:ivy 2.3.0 (>= 2.5.2) > >GHSA-wv7w-rj2x-556x (2.5.1), GHSA-2jc4-r94c-rp7h (2.5.2) > > > > > >On Wed, Oct 11, 2023 at 6:49 AM Jamie Johnson <[email protected]> wrote: > > > >> How deep down the rabbit hole should the dependency checks normally go? > >> Looks like the big ones I was tracking with security updates were done. > >> > >> johnzon 1.2.21 > >> tomcat 9.0.81 > >> bouncy castle 1.76 > >> > >> Still poking around a bit but there’s obviously a lot. > >> > >> On Wed, Oct 11, 2023 at 2:09 AM Richard Zowalla <[email protected]> > wrote: > >> > >>> In theory, every committer can act as release manager. > >>> > >>> There are some steps in the process, which requires PMC karma, though > >>> (such as adding a key to the KEYS file, moving stuff to the release are > >>> on SVN, start the VOTE, etc.). > >>> > >>> The process is documented here: [1] > >>> > >>> That being said: > >>> > >>> I am currently planning to start the release process for TomEE 9.1.1 > >>> within this week. Due to the Tomcat security issues released yesterday, > >>> we need to do some backporting, which will consume additional time. (It > >>> just interrupted my preparations, so it needs additional CI / TCK > >>> cycles) > >>> > >>> A release usally consumes around 1-3 hours of work. Mostly because you > >>> have to wait for stuff being build or to run some basic sanity checks > >>> before starting and to not forget any step. > >>> > >>> What would really help for a TomEE 8.0.16 is to carefully re-check the > >>> current dependencies for important 3rd party dependencies (and update > >>> if needed. Note: Each update or bunch of updates shouldn't break the > >>> build. A full build on CI takes around 4-8 hours) on that branch, build > >>> it locally and conduct some sanity checks (for example: same lib in > >>> different versions in /lib -> check and fix) with the created > >>> tar.gz/zip files. > >>> > >>> This is one of the steps, which usually consumes a lot of time. If you > >>> want to give it a try, I am happy to help out for the steps which > >>> require PMC involvement. Otherwise, I might find some time in the next > >>> week to start a release of 8.0.16 - just let me know and I can plan my > >>> time accordingly ;-) > >>> > >>> Gruß > >>> Richard > >>> > >>> > >>> > >>> > >>> [1] https://tomee.apache.org/dev/release-tomee.html > >>> > >>> > >>> Am Dienstag, dem 10.10.2023 um 17:56 -0500 schrieb Jonathan S. Fisher: > >>> > Jean-Louis, are there directions anywhere? Not promising anything :) > >>> > > >>> > On Tue, Oct 10, 2023 at 5:22 PM Jean-Louis Monteiro > >>> > <[email protected]> wrote: > >>> > > > >>> > > Whomever is committer can do it. > >>> > > > >>> > > I was just trying to give you an honest reply regarding my > >>> > > availabilities > >>> > > and give visibility to the rest of the community and the other > >>> > > committers > >>> > > at the same time. > >>> > > > >>> > > Hope it helps. > >>> > > > >>> > > > >>> > > Le mar. 10 oct. 2023, 23:27, Jamie Johnson <[email protected]> a > >>> > > écrit : > >>> > > > >>> > > > I’m not sure what that entails or who would go about doing it. Is > >>> > > > it a > >>> > > > community or contributor driven thing? > >>> > > > > >>> > > > On Tue, Oct 10, 2023 at 3:25 PM Jean-Louis Monteiro < > >>> > > > [email protected]> wrote: > >>> > > > > >>> > > > > I think most of the energy is currently on TomEE 9 and the new > >>> > > > > TomEE 10. > >>> > > > > I've also noticed some Tomcat CVE today if I remember > >>> > > > > correctly. > >>> > > > > > >>> > > > > I'm all hands on TomEE 10 currently because we need to fill the > >>> > > > > feature > >>> > > > > gaps on all implementations. So speaking about myself, not sure > >>> > > > > I can > >>> > > > > trigger a build and deliver the whole process in the next > >>> > > > > couple of days > >>> > > > or > >>> > > > > weeks. > >>> > > > > > >>> > > > > If someone can do it, I'm happy to review, test and vote on the > >>> > > > > release. > >>> > > > > -- > >>> > > > > Jean-Louis Monteiro > >>> > > > > http://twitter.com/jlouismonteiro > >>> > > > > http://www.tomitribe.com > >>> > > > > > >>> > > > > > >>> > > > > On Tue, Oct 10, 2023 at 5:48 PM Jamie Johnson > >>> > > > > <[email protected]> wrote: > >>> > > > > > >>> > > > > > Is there a timeline for the release of 8.0.16? There are a > >>> > > > > > few > >>> > > > security > >>> > > > > > issues associated with johnzon that we’d like to leverage > >>> > > > > > while we > >>> > > > > migrate > >>> > > > > > to a newer version of TomEE. > >>> > > > > > > >>> > > > > > >>> > > > > >>> > > >>> > > >>> > > >>> > >>> >
