Re: [ANN] Apache Karaf runtime 4.3.5 has been released

2021-12-30 Thread Jean-Baptiste Onofre 
Hi 

Yes, it’s already planned. The 4.3.6 and 4.2.15 releases will be in vote soon.

Regards
JB

> Le 30 déc. 2021 à 18:17, Robert Dean  a écrit :
> 
> Happy holidays everyone!
> 
> Log4j question: Will there need to be another release for the log4j 2.17.1 
> security fix?
> 
> Thank you,
> Joe Dean
> 
> 
> PTO Alert: None
> 
> On 12/28/21, 10:55 PM, "Jean-Baptiste Onofre"  wrote:
> 
>EXTERNAL EMAIL - Use caution opening attachments and links.
> 
>The Apache Karaf team is pleased so announce Apache Karaf runtime 4.3.5 
> release.
> 
>This release is an important release on the Karaf 4.3.x series bringing 
> security fixes (logshell) especially:
> 
>- upgrade to jolokia 1.7.1
>- upgrade to pax-logging 2.0.12
>- upgrade to log4j 2.17.0 fixing CVE-2021-45105 and CVE-2021-44228
>- upgrade to logback 1.2.9 fixing CVE-2021-42550
> 
>The Release Notes are available here: 
> https://urldefense.com/v3/__https://issues.apache.org/jira/secure/ReleaseNote.jspa?projectId=12311140&version=12350856__;!!AMCWqqRremt4Wx4!FbnwTktvh0yfq-_FDRz1PJ4qUVHCiR1-d_HBoBOppcsDztH1QHnA71yc-pttrw$
> 
>Download: 
> https://urldefense.com/v3/__http://karaf.apache.org/download.html__;!!AMCWqqRremt4Wx4!FbnwTktvh0yfq-_FDRz1PJ4qUVHCiR1-d_HBoBOppcsDztH1QHnA71xZDuHNXg$
>   
>   >
> 
>Enjoy!
>The Apache Karaf team
> 
> ***
> IMPORTANT MESSAGE FOR RECIPIENTS IN THE U.S.A.:
> This message may constitute an advertisement of a BD group's products or 
> services or a solicitation of interest in them. If this is such a message and 
> you would like to opt out of receiving future advertisements or solicitations 
> from this BD group, please forward this e-mail to optoutbygr...@bd.com. 
> [BD.v1.0]
> ***
> This message (which includes any attachments) is intended only for the 
> designated recipient(s). It may contain confidential or proprietary 
> information and may be subject to the attorney-client privilege or other 
> confidentiality protections. If you are not a designated recipient, you may 
> not review, use, copy or distribute this message. If you received this in 
> error, please notify the sender by reply e-mail and delete this message. 
> Thank you.
> ***
> Corporate Headquarters Mailing Address: BD (Becton, Dickinson and Company) 1 
> Becton Drive Franklin Lakes, NJ 07417 U.S.A.

Re: karaf-maven-plugin generates another org.apache.karaf.features.xml with Java 8/Java 11

2021-12-30 Thread Jean-Baptiste Onofre 
Hi Steven,

Thanks for the update. Now you mention MNG-6506, I think we had this issue 
while ago (at least me on my machine ;)).

Regards
JB

> Le 30 déc. 2021 à 20:18, Steven Huypens  a écrit :
> 
> Hi JB,
> 
> It turns out I was facing this issue :
> https://issues.apache.org/jira/browse/MNG-6506. Upgrading maven solved the
> problem.
> 
> 
> Best regards,
> Steven
> 
> On Thu, Dec 23, 2021 at 10:50 AM Steven Huypens 
> wrote:
> 
>> Hi JB,
>> 
>> Do you have any news on this ? If you could give me any pointers, I'm
>> happy to try and fix it myself, but for now I'm stuck.
>> 
>> Best regards,
>> Steven
>> 
>> On Fri, Dec 3, 2021 at 1:01 PM Jean-Baptiste Onofré 
>> wrote:
>> 
>>> Hi Steven,
>>> 
>>> Not yet, I'm busy with 4.3.4 release preparation. As part of the release
>>> preparation, I will take a look, probably later today or tomorrow.
>>> 
>>> I will keep you posted.
>>> 
>>> Regards
>>> JB
>>> 
>>> On 03/12/2021 12:22, Steven Huypens wrote:
 Hi JB,
 
 Did you find some time to have a look at my example ?
 
 Best regards,
 Steven
 
 On Sun, Nov 28, 2021 at 7:46 PM Steven Huypens <
>>> steven.huyp...@gmail.com>
 wrote:
 
> Hi JB,
> 
> This pom.xml illustrates the problem :
> https://github.com/ponziani/karaf-simple-suite
> 
> Kind regards,
> Steven
> 
> On Sun, Nov 28, 2021 at 5:12 PM JB Onofré  wrote:
> 
>> In that case, it’s weird as Karaf uses jdk11 to build and I don’t see
>> such issue.
>> 
>> Do you have a test repo where I can take a look ?
>> 
>> Thanks
>> Regards
>> JB
>> 
>>> Le 28 nov. 2021 à 16:21, Steven Huypens  a
>> écrit :
>>> 
>>> Hi,
>>> 
>>> I found out package-info.java in the
>>> package org.apache.karaf.features.internal.model.processing contains
>>> 
>>> @XmlSchema(namespace =
>>> "http://karaf.apache.org/xmlns/features-processing/v1.0.0";,
>>>elementFormDefault = XmlNsForm.QUALIFIED,
>>> attributeFormDefault
>>> = XmlNsForm.UNQUALIFIED,
>>>xmlns = {
>>>@XmlNs(prefix = "", namespaceURI =
>> FEATURES_PROCESSING_NS),
>>>@XmlNs(prefix = "f", namespaceURI =
>>> FeaturesNamespaces.URI_CURRENT)
>>>}
>>> )
>>> 
>>> 
>>> These annotations are ignored when using Java 11, I have no idea why,
>> but
>>> looks like a bug to me.
>>> 
>>> Kind regards,
>>> Steven
>>> 
>>> 
 On Sun, Nov 28, 2021 at 12:05 PM Steven Huypens <
>> steven.huyp...@gmail.com>
 wrote:
 
 Hi Bernd,
 
 I must correct myself. Adding the 'ns3'-prefix to all of the
>>> children
>> does
 help. It seems all of the tags without prefix are ignored at
>>> boot-time
 which causes the OOM. So maybe a fix in the karaf-maven-plugin
>>> would be
 best, the prefix should be added to each child...
 
 Kind regards,
 Steven
 
 On Sat, Nov 27, 2021 at 9:56 PM Steven Huypens <
>> steven.huyp...@gmail.com>
 wrote:
 
> Hi Bernd,
> 
> - I do see 'blacklistedRepositories' in
> http://karaf.apache.org/xmlns/features-processing/v1.0.0
> - With the namespace-prefix my app goes OOM immediately, so I
>>> cannot
> compare both running systems.
> - I tried adding the prefix to each child, but that did not help
> 
> Kind regards,
> Steven
> 
> On Sat, Nov 27, 2021 at 9:23 PM Bernd Eckenfels <
>> e...@zusammenkunft.net>
> wrote:
> 
>> In that case maybe the child (deny* list?) is ignored, not sure
>>> how
>> strict the parser is in regards to namespaces. I don’t see a
>> blacklistRepository element in the Schema anyway. It’s maybe best
>>> you
>> inspect the running systems with feature:* commands and look for
>> differences.
>> 
>> 
>> 
>> --
>> http://bernd.eckenfels.net
>> 
>> Von: Steven Huypens 
>> Gesendet: Saturday, November 27, 2021 8:58:20 PM
>> An: dev@karaf.apache.org 
>> Betreff: Re: karaf-maven-plugin generates another
>> org.apache.karaf.features.xml with Java 8/Java 11
>> 
>> Hi Bernd,
>> 
>> Thanks for your response. The child elements have no prefix, eg.
>> 
>> 
>> I'm sorry but I do not understand what you mean. You think part
>>> of my
>> org.apache.karaf.features.xml was previously ignored ? I haven't
>> double
>> checked, but that would really surprise me because we have quite
>>> some
>> blacklistedFeatures en blacklistedBundles which would cause
>>> problems
>> if
>> ignored.
>> 
>> Best regards,
>> Steven
>>

Re: karaf-maven-plugin generates another org.apache.karaf.features.xml with Java 8/Java 11

2021-12-30 Thread Steven Huypens 
Hi JB,

It turns out I was facing this issue :
https://issues.apache.org/jira/browse/MNG-6506. Upgrading maven solved the
problem.


Best regards,
Steven

On Thu, Dec 23, 2021 at 10:50 AM Steven Huypens 
wrote:

> Hi JB,
>
> Do you have any news on this ? If you could give me any pointers, I'm
> happy to try and fix it myself, but for now I'm stuck.
>
> Best regards,
> Steven
>
> On Fri, Dec 3, 2021 at 1:01 PM Jean-Baptiste Onofré 
> wrote:
>
>> Hi Steven,
>>
>> Not yet, I'm busy with 4.3.4 release preparation. As part of the release
>> preparation, I will take a look, probably later today or tomorrow.
>>
>> I will keep you posted.
>>
>> Regards
>> JB
>>
>> On 03/12/2021 12:22, Steven Huypens wrote:
>> > Hi JB,
>> >
>> > Did you find some time to have a look at my example ?
>> >
>> > Best regards,
>> > Steven
>> >
>> > On Sun, Nov 28, 2021 at 7:46 PM Steven Huypens <
>> steven.huyp...@gmail.com>
>> > wrote:
>> >
>> >> Hi JB,
>> >>
>> >> This pom.xml illustrates the problem :
>> >> https://github.com/ponziani/karaf-simple-suite
>> >>
>> >> Kind regards,
>> >> Steven
>> >>
>> >> On Sun, Nov 28, 2021 at 5:12 PM JB Onofré  wrote:
>> >>
>> >>> In that case, it’s weird as Karaf uses jdk11 to build and I don’t see
>> >>> such issue.
>> >>>
>> >>> Do you have a test repo where I can take a look ?
>> >>>
>> >>> Thanks
>> >>> Regards
>> >>> JB
>> >>>
>>  Le 28 nov. 2021 à 16:21, Steven Huypens  a
>> >>> écrit :
>> 
>>  Hi,
>> 
>>  I found out package-info.java in the
>>  package org.apache.karaf.features.internal.model.processing contains
>> 
>>  @XmlSchema(namespace =
>>  "http://karaf.apache.org/xmlns/features-processing/v1.0.0";,
>>  elementFormDefault = XmlNsForm.QUALIFIED,
>> attributeFormDefault
>>  = XmlNsForm.UNQUALIFIED,
>>  xmlns = {
>>  @XmlNs(prefix = "", namespaceURI =
>> >>> FEATURES_PROCESSING_NS),
>>  @XmlNs(prefix = "f", namespaceURI =
>>  FeaturesNamespaces.URI_CURRENT)
>>  }
>>  )
>> 
>> 
>>  These annotations are ignored when using Java 11, I have no idea why,
>> >>> but
>>  looks like a bug to me.
>> 
>>  Kind regards,
>>  Steven
>> 
>> 
>> > On Sun, Nov 28, 2021 at 12:05 PM Steven Huypens <
>> >>> steven.huyp...@gmail.com>
>> > wrote:
>> >
>> > Hi Bernd,
>> >
>> > I must correct myself. Adding the 'ns3'-prefix to all of the
>> children
>> >>> does
>> > help. It seems all of the tags without prefix are ignored at
>> boot-time
>> > which causes the OOM. So maybe a fix in the karaf-maven-plugin
>> would be
>> > best, the prefix should be added to each child...
>> >
>> > Kind regards,
>> > Steven
>> >
>> > On Sat, Nov 27, 2021 at 9:56 PM Steven Huypens <
>> >>> steven.huyp...@gmail.com>
>> > wrote:
>> >
>> >> Hi Bernd,
>> >>
>> >> - I do see 'blacklistedRepositories' in
>> >> http://karaf.apache.org/xmlns/features-processing/v1.0.0
>> >> - With the namespace-prefix my app goes OOM immediately, so I
>> cannot
>> >> compare both running systems.
>> >> - I tried adding the prefix to each child, but that did not help
>> >>
>> >> Kind regards,
>> >> Steven
>> >>
>> >> On Sat, Nov 27, 2021 at 9:23 PM Bernd Eckenfels <
>> >>> e...@zusammenkunft.net>
>> >> wrote:
>> >>
>> >>> In that case maybe the child (deny* list?) is ignored, not sure
>> how
>> >>> strict the parser is in regards to namespaces. I don’t see a
>> >>> blacklistRepository element in the Schema anyway. It’s maybe best
>> you
>> >>> inspect the running systems with feature:* commands and look for
>> >>> differences.
>> >>>
>> >>>
>> >>>
>> >>> --
>> >>> http://bernd.eckenfels.net
>> >>> 
>> >>> Von: Steven Huypens 
>> >>> Gesendet: Saturday, November 27, 2021 8:58:20 PM
>> >>> An: dev@karaf.apache.org 
>> >>> Betreff: Re: karaf-maven-plugin generates another
>> >>> org.apache.karaf.features.xml with Java 8/Java 11
>> >>>
>> >>> Hi Bernd,
>> >>>
>> >>> Thanks for your response. The child elements have no prefix, eg.
>> >>> 
>> >>>
>> >>> I'm sorry but I do not understand what you mean. You think part
>> of my
>> >>> org.apache.karaf.features.xml was previously ignored ? I haven't
>> >>> double
>> >>> checked, but that would really surprise me because we have quite
>> some
>> >>> blacklistedFeatures en blacklistedBundles which would cause
>> problems
>> >>> if
>> >>> ignored.
>> >>>
>> >>> Best regards,
>> >>> Steven
>> >>>
>> >>> On Sat, Nov 27, 2021 at 8:22 PM Bernd Eckenfels <
>> >>> e...@zusammenkunft.net>
>> >>> wrote:
>> >>>
>>  Hello Steven
>> 
>>  How do the child elements of that element look like? Are they
>> using
>>  default/f/ns2 prefix and maybe the (semanti

Re: [ANN] Apache Karaf runtime 4.3.5 has been released

2021-12-30 Thread Robert Dean 
Happy holidays everyone!

Log4j question: Will there need to be another release for the log4j 2.17.1 
security fix?

Thank you,
Joe Dean


PTO Alert: None

On 12/28/21, 10:55 PM, "Jean-Baptiste Onofre"  wrote:

EXTERNAL EMAIL - Use caution opening attachments and links.

The Apache Karaf team is pleased so announce Apache Karaf runtime 4.3.5 
release.

This release is an important release on the Karaf 4.3.x series bringing 
security fixes (logshell) especially:

- upgrade to jolokia 1.7.1
- upgrade to pax-logging 2.0.12
- upgrade to log4j 2.17.0 fixing CVE-2021-45105 and CVE-2021-44228
- upgrade to logback 1.2.9 fixing CVE-2021-42550

The Release Notes are available here: 
https://urldefense.com/v3/__https://issues.apache.org/jira/secure/ReleaseNote.jspa?projectId=12311140&version=12350856__;!!AMCWqqRremt4Wx4!FbnwTktvh0yfq-_FDRz1PJ4qUVHCiR1-d_HBoBOppcsDztH1QHnA71yc-pttrw$

Download: 
https://urldefense.com/v3/__http://karaf.apache.org/download.html__;!!AMCWqqRremt4Wx4!FbnwTktvh0yfq-_FDRz1PJ4qUVHCiR1-d_HBoBOppcsDztH1QHnA71xZDuHNXg$
  


Enjoy!
The Apache Karaf team

***
IMPORTANT MESSAGE FOR RECIPIENTS IN THE U.S.A.:
This message may constitute an advertisement of a BD group's products or 
services or a solicitation of interest in them. If this is such a message and 
you would like to opt out of receiving future advertisements or solicitations 
from this BD group, please forward this e-mail to optoutbygr...@bd.com. 
[BD.v1.0]
***
This message (which includes any attachments) is intended only for the 
designated recipient(s). It may contain confidential or proprietary information 
and may be subject to the attorney-client privilege or other confidentiality 
protections. If you are not a designated recipient, you may not review, use, 
copy or distribute this message. If you received this in error, please notify 
the sender by reply e-mail and delete this message. Thank you.
***
Corporate Headquarters Mailing Address: BD (Becton, Dickinson and Company) 1 
Becton Drive Franklin Lakes, NJ 07417 U.S.A.

[ANN] Pax Logging 2.0.14, 1.11.13 and 1.10.9 released

2021-12-30 Thread Grzegorz Grzybek 
Hello

Pax Logging 2.0.14, 1.11.13 and 1.10.9 have been released with two upgrades:
 - Log4j2 2.17.1
 - Logback 1.2.10

These are the latest versions of the dependencies as of December 30th 2021.

Additionally, 2.0.14 and 1.11.13 contain new configuration property:
"org.ops4j.pax.logging.syncJULFormatter" (defaults to "true") which
controls the usage of `java.util.logging.SimpleFormatter` inside Pax
Logging's JUL Handler. By default, there's a single formatter with
synchronization. When this property is set to "false", new instance is
created for each event being handled - this is special system/context
property to be used in Payara server where some deadlocks were observed.

The changelogs are:
 - 2.0.14:
https://github.com/ops4j/org.ops4j.pax.logging/milestone/78?closed=1
 - 1.11.13:
https://github.com/ops4j/org.ops4j.pax.logging/milestone/79?closed=1
 - 1.10.9:
https://github.com/ops4j/org.ops4j.pax.logging/milestone/81?closed=1

kind regards
Grzegorz Grzybek