Re: [VOTE] Apache TomEE 9.1.3
Hi, +1 On Sat, Apr 13, 2024, 15:29 Richard Zowalla wrote: > Here is my own +1 > > Am Montag, dem 08.04.2024 um 11:33 +0200 schrieb Richard Zowalla: > > Hello everyone, > > > > This is a vote for the release of Apache TomEE 9.1.3 > > > > It contains some version upgrades (cxf, jackson, batchee) and > > security > > backports for the recent Tomcat CVEs. > > > > Here are the hard facts: > > > > ### > > > > Maven Repo: > > https://repository.apache.org/content/repositories/orgapachetomee-1227/ > > > > > > > > tomee-9.1.3-rc1 > > Testing TomEE 9.1.3 > > > > https://repository.apache.org/content/repositories/orgapachetomee-1227/ > > > > > > > > > > ### > > > > Binaries & Source: > > > > https://dist.apache.org/repos/dist/dev/tomee/staging-1227/tomee-9.1.3/ > > > > ### > > > > Tag: > > > > https://github.com/apache/tomee/releases/tag/tomee-project-9.1.3 > > > > ### > > > > Release notes: > > > > > https://issues.apache.org/jira/secure/ReleaseNote.jspa?projectId=12312320=12354125 > > > > ### > > > > Here is an adoc generated version of the changelog as well: > > > > == Dependency upgrade > > > > [.compact] > > - link:https://issues.apache.org/jira/browse/TOMEE-4305[TOMEE-4305] > > Backport fix for CVE-2024-23672 for TomEE 9.x > > - link:https://issues.apache.org/jira/browse/TOMEE-4306[TOMEE-4306] > > Backport fix for CVE-2024-24549 for TomEE 9.x > > - link:https://issues.apache.org/jira/browse/TOMEE-4316[TOMEE-4316] > > BatchEE 1.0.4 > > - link:https://issues.apache.org/jira/browse/TOMEE-4290[TOMEE-4290] > > Jackson 2.16.2 > > - link:https://issues.apache.org/jira/browse/TOMEE-4304[TOMEE-4304] > > cxf-core 4.0.4 > > > > == New Feature > > > > [.compact] > > - link:https://issues.apache.org/jira/browse/TOMEE-3902[TOMEE-3902] > > Introduce placeholder replacement to enable MDB activation properties > > to be more customizable > > > > == Bug > > > > [.compact] > > - link:https://issues.apache.org/jira/browse/TOMEE-4295[TOMEE-4295] > > tomee-embedded-maven-plugin does not register microprofile endpoints > > > > > > ### > > > > Please note: > > > > Grype will report a vulnerability for > > > > apache-mime4j-core 0.8.7 0.8.10java-archive GHSA-jw7r- > > rxff- > > gv24 Medium > > > > which is shaded inside of "geronimo-mail_2.1_spec-1.0.0-M1.jar". > > > > In it's current version, the dependency is _NOT_ used inside of > > geronimo mail impl, so unless you are using the shaded classes > > yourself, we are not affected here. > > There is also another mail thread related to mail. > > > > For signature verification, you can check on the example script here: > > https://gist.github.com/rzo1/9fb1ca0d58e1fc982d596f2a94b10b32 > > > > ### > > > > Please VOTE > > > > [+1] go ship it > > [+0] meh, don't care > > [-1] stop, there is a ${showstopper} > > > > The VOTE is open for 72h or as long as needed. > > > > Gruß > > Richard > > > > > > P.S. On a personal note: This will be the last TomEE 9.1.x release I > > will be working on (no backports from my side anymore). I decided to > > invest my volunteer time in TomEE 10+ only. If someone else wants to > > maintain the 9.x line, I am happy to review related PRs. > >
Re: [PR] TOMEE-4318 | TOMEE-4317 - ActiveMQ 6 + Java 17 (tomee)
rzo1 commented on code in PR #1120: URL: https://github.com/apache/tomee/pull/1120#discussion_r1564188578 ## container/openejb-loader/src/main/java/org/apache/openejb/loader/Embedder.java: ## @@ -105,6 +105,7 @@ private Class forcefulLoad(final ClassPath classPath, final ClassLoader classLoa } classPath.addJarsToPath(libsDir); } catch (final Exception e2) { +e2.printStackTrace(); Review Comment: yes -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: dev-unsubscr...@tomee.apache.org For queries about this service, please contact Infrastructure at: us...@infra.apache.org
Re: [PR] TOMEE-4318 | TOMEE-4317 - ActiveMQ 6 + Java 17 (tomee)
jungm commented on code in PR #1120: URL: https://github.com/apache/tomee/pull/1120#discussion_r1564185144 ## tomee/tomee-webaccess/pom.xml: ## @@ -42,6 +42,19 @@ true + + jdk15+ + +[15,) Review Comment: imo no reason to hide this dependency inside of a profile if the compile level is raised to 17 (also applies to java11plus profile above) ## container/openejb-loader/src/main/java/org/apache/openejb/loader/Embedder.java: ## @@ -105,6 +105,7 @@ private Class forcefulLoad(final ClassPath classPath, final ClassLoader classLoa } classPath.addJarsToPath(libsDir); } catch (final Exception e2) { +e2.printStackTrace(); Review Comment: Probably unwanted? -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: dev-unsubscr...@tomee.apache.org For queries about this service, please contact Infrastructure at: us...@infra.apache.org
EE10 - Jakarta Security OIDC
Hi, looks like we need to implement OpenID connect for Jakarta Security 3.0 - https://jakarta.ee/specifications/security/3.0/ If anyone wants to jump in and dive into the spec -> feel free :) Gruß Richard
Re: [VOTE] Apache TomEE 9.1.3
Here is my own +1 Am Montag, dem 08.04.2024 um 11:33 +0200 schrieb Richard Zowalla: > Hello everyone, > > This is a vote for the release of Apache TomEE 9.1.3 > > It contains some version upgrades (cxf, jackson, batchee) and > security > backports for the recent Tomcat CVEs. > > Here are the hard facts: > > ### > > Maven Repo: > https://repository.apache.org/content/repositories/orgapachetomee-1227/ > > > > tomee-9.1.3-rc1 > Testing TomEE 9.1.3 > > https://repository.apache.org/content/repositories/orgapachetomee-1227/ > > > > > ### > > Binaries & Source: > > https://dist.apache.org/repos/dist/dev/tomee/staging-1227/tomee-9.1.3/ > > ### > > Tag: > > https://github.com/apache/tomee/releases/tag/tomee-project-9.1.3 > > ### > > Release notes: > > https://issues.apache.org/jira/secure/ReleaseNote.jspa?projectId=12312320=12354125 > > ### > > Here is an adoc generated version of the changelog as well: > > == Dependency upgrade > > [.compact] > - link:https://issues.apache.org/jira/browse/TOMEE-4305[TOMEE-4305] > Backport fix for CVE-2024-23672 for TomEE 9.x > - link:https://issues.apache.org/jira/browse/TOMEE-4306[TOMEE-4306] > Backport fix for CVE-2024-24549 for TomEE 9.x > - link:https://issues.apache.org/jira/browse/TOMEE-4316[TOMEE-4316] > BatchEE 1.0.4 > - link:https://issues.apache.org/jira/browse/TOMEE-4290[TOMEE-4290] > Jackson 2.16.2 > - link:https://issues.apache.org/jira/browse/TOMEE-4304[TOMEE-4304] > cxf-core 4.0.4 > > == New Feature > > [.compact] > - link:https://issues.apache.org/jira/browse/TOMEE-3902[TOMEE-3902] > Introduce placeholder replacement to enable MDB activation properties > to be more customizable > > == Bug > > [.compact] > - link:https://issues.apache.org/jira/browse/TOMEE-4295[TOMEE-4295] > tomee-embedded-maven-plugin does not register microprofile endpoints > > > ### > > Please note: > > Grype will report a vulnerability for > > apache-mime4j-core 0.8.7 0.8.10 java-archive GHSA-jw7r- > rxff- > gv24 Medium > > which is shaded inside of "geronimo-mail_2.1_spec-1.0.0-M1.jar". > > In it's current version, the dependency is _NOT_ used inside of > geronimo mail impl, so unless you are using the shaded classes > yourself, we are not affected here. > There is also another mail thread related to mail. > > For signature verification, you can check on the example script here: > https://gist.github.com/rzo1/9fb1ca0d58e1fc982d596f2a94b10b32 > > ### > > Please VOTE > > [+1] go ship it > [+0] meh, don't care > [-1] stop, there is a ${showstopper} > > The VOTE is open for 72h or as long as needed. > > Gruß > Richard > > > P.S. On a personal note: This will be the last TomEE 9.1.x release I > will be working on (no backports from my side anymore). I decided to > invest my volunteer time in TomEE 10+ only. If someone else wants to > maintain the 9.x line, I am happy to review related PRs.