Re: [VOTE] TomEE 8.0.15

[Richard Zowalla]

Hi,

the vote passes with 5 +1

Cesar Hernandez  (binding)
Daniel Dias Dos Santos 
Alex The Rocker
Richard Zowalla (binding)
Jean-Louis Monteiro (binding)

I'll proceed with the steps.

Gruß
Richard

Am Montag, dem 08.05.2023 um 14:50 +0200 schrieb Richard Zowalla:
> Hi all,
> 
> this is a vote for a release of Apache TomEE 8.0.15.
> 
> It is a maintenance release with some bug fixes and dependencies
> upgrades (addressing some CVEs)
> 
> ###
> 
> Maven Repo:
> https://repository.apache.org/content/repositories/orgapachetomee-1214/
> 
> 
> 
> tomee-8.0.15-rc1
> Testing TomEE 8.0.15 RC1
> 
> https://repository.apache.org/content/repositories/orgapachetomee-1214/
> 
> 
> 
> 
> ###
> 
> Binaries & Source:
> 
> https://dist.apache.org/repos/dist/dev/tomee/staging-1214/tomee-8.0.15/
> 
> ###
> 
> Tag:
> 
> https://github.com/apache/tomee/releases/tag/tomee-project-8.0.15
> 
> 
> ###
> 
> Release notes:
> 
> https://issues.apache.org/jira/secure/ReleaseNote.jspa?projectId=12312320&version=12352766
> 
> ###
> 
> Here is an adoc generated version of the changelog as well:
> 
> == Dependency upgrade
> 
> [.compact]
>  - link:https://issues.apache.org/jira/browse/TOMEE-4188[TOMEE-4188]
> ActiveMQ 5.16.6
>  - link:https://issues.apache.org/jira/browse/TOMEE-4180[TOMEE-4180]
> CXF 3.5.5
>  - link:https://issues.apache.org/jira/browse/TOMEE-4187[TOMEE-4187]
> Commons FileUpload 1.5
>  - link:https://issues.apache.org/jira/browse/TOMEE-4210[TOMEE-4210]
> EclipseLink 2.7.12
>  - link:https://issues.apache.org/jira/browse/TOMEE-4211[TOMEE-4211]
> Hibernate Integration 5.6.15.Final
>  - link:https://issues.apache.org/jira/browse/TOMEE-4206[TOMEE-4206]
> Jackson 2.15.0
>  - link:https://issues.apache.org/jira/browse/TOMEE-4207[TOMEE-4207]
> Johnzon 1.2.20
>  - link:https://issues.apache.org/jira/browse/TOMEE-4205[TOMEE-4205]
> Jose4j 0.9.3
>  - link:https://issues.apache.org/jira/browse/TOMEE-4209[TOMEE-4209]
> Mojarra 2.3.19
>  - link:https://issues.apache.org/jira/browse/TOMEE-4195[TOMEE-4195]
> Tomcat 9.0.72 (CVE-2023-28708)
>  - link:https://issues.apache.org/jira/browse/TOMEE-4191[TOMEE-4191]
> Tomcat 9.0.73
>  - link:https://issues.apache.org/jira/browse/TOMEE-4201[TOMEE-4201]
> Tomcat 9.0.74
>  - link:https://issues.apache.org/jira/browse/TOMEE-4194[TOMEE-4194]
> snakeyaml version 2.0 mitigate CVE-2022-1471
> 
> == Bug
> 
> [.compact]
>  - link:https://issues.apache.org/jira/browse/TOMEE-4192[TOMEE-4192]
> ApplicationComposers do not clear GC references on release
>  - link:https://issues.apache.org/jira/browse/TOMEE-4181[TOMEE-4181]
> BCProv jar loses its signature during the patch process
>  - link:https://issues.apache.org/jira/browse/TOMEE-4122[TOMEE-4122]
> Performance Regression in bean resolution in EAR files
>  - link:https://issues.apache.org/jira/browse/TOMEE-4189[TOMEE-4189]
> java.lang.ClassNotFoundException:
> org.apache.openejb.loader.SystemInstance
>  - link:https://issues.apache.org/jira/browse/TOMEE-4179[TOMEE-4179]
> Fix creeping in API JARs which should be in javaee-api
> 
> == Wish
> 
> [.compact]
>  - link:https://issues.apache.org/jira/browse/TOMEE-4190[TOMEE-4190]
> RunWithApplicationComposer should support inheritance
> 
> == Fixed Common Vulnerabilities and Exposures (CVEs)
> 
> [.compact]
>  - link:https://issues.apache.org/jira/browse/TOMEE-4194[TOMEE-4194]
> Update snakeyaml version to 2.0 to mitigate CVE-2022-1471
>  - link:https://issues.apache.org/jira/browse/TOMEE-4195[TOMEE-4195]
> Upgrade to Apache Tomcat 9.0.72 (CVE-2023-28708)
>  - link:https://issues.apache.org/jira/browse/TOMEE-4187[TOMEE-4187]
> Commons FileUpload 1.5
> 
> 
> ###
> 
> Here is the dependency diff from 8.0.14 to 8.0.15 created with our
> release tools:
> 
>   artifactId  from  to    
> ---  -
>  jackson-annotations 2.14.1   2.15.0  
>  jackson-core    2.14.1   2.15.0  
>  jackson-databind    2.14.1   2.15.0  
>  jackson-dataformat-yaml 2.14.1   2.15.0  
>  saaj-impl    1.5.1   1.5.3   
>  activemq-broker 5.16.5   5.16.6  
>  activemq-client 5.16.5   5.16.6  
>  activemq-jdbc-store 5.16.5   5.16.6  
>  activemq-kahadb-store   5.16.5   5.16.6  
>  activemq-openwire-legacy    5.16.5   5.16.6  
>  activemq-ra 5.16.5   5.16.6  
>  cxf-rt-rs-mp-client 3.4.10   3.5.5   
>  johnzon-core    1.2.19   1.2.20  
>  johnzon-jaxrs   1.2.19   1.2.20  
>  johnzon-jsonb   1.2.19   1.2.20  
>  johnzon-jsonp-strict    1.2.19   1.2.20  
>  johnzon-mapper  1.2.19   1.2.20  
>  xmlsec   2.2.3   2.3.2   

Re: [VOTE] TomEE 8.0.15

[Jean-Louis Monteiro]

+1 (binding)

Thanks Richard and sorry for the delay. I started the review yesterday and
it looks good to me.
--
Jean-Louis Monteiro
http://twitter.com/jlouismonteiro
http://www.tomitribe.com


On Tue, May 16, 2023 at 10:51 AM Richard Zowalla  wrote:

> Here is my own +1 (binding)
>
> Am Montag, dem 08.05.2023 um 14:50 +0200 schrieb Richard Zowalla:
> > Hi all,
> >
> > this is a vote for a release of Apache TomEE 8.0.15.
> >
> > It is a maintenance release with some bug fixes and dependencies
> > upgrades (addressing some CVEs)
> >
> > ###
> >
> > Maven Repo:
> > https://repository.apache.org/content/repositories/orgapachetomee-1214/
> >
> > 
> > 
> > tomee-8.0.15-rc1
> > Testing TomEE 8.0.15 RC1
> > 
> > https://repository.apache.org/content/repositories/orgapachetomee-1214/
> > 
> > 
> > 
> >
> > ###
> >
> > Binaries & Source:
> >
> > https://dist.apache.org/repos/dist/dev/tomee/staging-1214/tomee-8.0.15/
> >
> > ###
> >
> > Tag:
> >
> > https://github.com/apache/tomee/releases/tag/tomee-project-8.0.15
> >
> >
> > ###
> >
> > Release notes:
> >
> >
> https://issues.apache.org/jira/secure/ReleaseNote.jspa?projectId=12312320&version=12352766
> >
> > ###
> >
> > Here is an adoc generated version of the changelog as well:
> >
> > == Dependency upgrade
> >
> > [.compact]
> >  - link:https://issues.apache.org/jira/browse/TOMEE-4188[TOMEE-4188]
> > ActiveMQ 5.16.6
> >  - link:https://issues.apache.org/jira/browse/TOMEE-4180[TOMEE-4180]
> > CXF 3.5.5
> >  - link:https://issues.apache.org/jira/browse/TOMEE-4187[TOMEE-4187]
> > Commons FileUpload 1.5
> >  - link:https://issues.apache.org/jira/browse/TOMEE-4210[TOMEE-4210]
> > EclipseLink 2.7.12
> >  - link:https://issues.apache.org/jira/browse/TOMEE-4211[TOMEE-4211]
> > Hibernate Integration 5.6.15.Final
> >  - link:https://issues.apache.org/jira/browse/TOMEE-4206[TOMEE-4206]
> > Jackson 2.15.0
> >  - link:https://issues.apache.org/jira/browse/TOMEE-4207[TOMEE-4207]
> > Johnzon 1.2.20
> >  - link:https://issues.apache.org/jira/browse/TOMEE-4205[TOMEE-4205]
> > Jose4j 0.9.3
> >  - link:https://issues.apache.org/jira/browse/TOMEE-4209[TOMEE-4209]
> > Mojarra 2.3.19
> >  - link:https://issues.apache.org/jira/browse/TOMEE-4195[TOMEE-4195]
> > Tomcat 9.0.72 (CVE-2023-28708)
> >  - link:https://issues.apache.org/jira/browse/TOMEE-4191[TOMEE-4191]
> > Tomcat 9.0.73
> >  - link:https://issues.apache.org/jira/browse/TOMEE-4201[TOMEE-4201]
> > Tomcat 9.0.74
> >  - link:https://issues.apache.org/jira/browse/TOMEE-4194[TOMEE-4194]
> > snakeyaml version 2.0 mitigate CVE-2022-1471
> >
> > == Bug
> >
> > [.compact]
> >  - link:https://issues.apache.org/jira/browse/TOMEE-4192[TOMEE-4192]
> > ApplicationComposers do not clear GC references on release
> >  - link:https://issues.apache.org/jira/browse/TOMEE-4181[TOMEE-4181]
> > BCProv jar loses its signature during the patch process
> >  - link:https://issues.apache.org/jira/browse/TOMEE-4122[TOMEE-4122]
> > Performance Regression in bean resolution in EAR files
> >  - link:https://issues.apache.org/jira/browse/TOMEE-4189[TOMEE-4189]
> > java.lang.ClassNotFoundException:
> > org.apache.openejb.loader.SystemInstance
> >  - link:https://issues.apache.org/jira/browse/TOMEE-4179[TOMEE-4179]
> > Fix creeping in API JARs which should be in javaee-api
> >
> > == Wish
> >
> > [.compact]
> >  - link:https://issues.apache.org/jira/browse/TOMEE-4190[TOMEE-4190]
> > RunWithApplicationComposer should support inheritance
> >
> > == Fixed Common Vulnerabilities and Exposures (CVEs)
> >
> > [.compact]
> >  - link:https://issues.apache.org/jira/browse/TOMEE-4194[TOMEE-4194]
> > Update snakeyaml version to 2.0 to mitigate CVE-2022-1471
> >  - link:https://issues.apache.org/jira/browse/TOMEE-4195[TOMEE-4195]
> > Upgrade to Apache Tomcat 9.0.72 (CVE-2023-28708)
> >  - link:https://issues.apache.org/jira/browse/TOMEE-4187[TOMEE-4187]
> > Commons FileUpload 1.5
> >
> >
> > ###
> >
> > Here is the dependency diff from 8.0.14 to 8.0.15 created with our
> > release tools:
> >
> >   artifactId  from  to
> > ---  -
> >  jackson-annotations 2.14.1   2.15.0
> >  jackson-core2.14.1   2.15.0
> >  jackson-databind2.14.1   2.15.0
> >  jackson-dataformat-yaml 2.14.1   2.15.0
> >  saaj-impl1.5.1   1.5.3
> >  activemq-broker 5.16.5   5.16.6
> >  activemq-client 5.16.5   5.16.6
> >  activemq-jdbc-store 5.16.5   5.16.6
> >  activemq-kahadb-store   5.16.5   5.16.6
> >  activemq-openwire-legacy5.16.5   5.16.6
> >  activemq-ra 5.16.5   5.16.6
> >  cxf-rt-rs-mp-client 3.4.10   3.5.5
> >  johnzon-core1.2.19   1.2.20
> >  johnzon-jaxrs   1.2.19   1.2.20
> >  johnzon-jsonb   1.2.19   1.2.20
> >  johnzon-json

Re: [VOTE] TomEE 8.0.15

[Richard Zowalla]

Here is my own +1 (binding)

Am Montag, dem 08.05.2023 um 14:50 +0200 schrieb Richard Zowalla:
> Hi all,
> 
> this is a vote for a release of Apache TomEE 8.0.15.
> 
> It is a maintenance release with some bug fixes and dependencies
> upgrades (addressing some CVEs)
> 
> ###
> 
> Maven Repo:
> https://repository.apache.org/content/repositories/orgapachetomee-1214/
> 
> 
> 
> tomee-8.0.15-rc1
> Testing TomEE 8.0.15 RC1
> 
> https://repository.apache.org/content/repositories/orgapachetomee-1214/
> 
> 
> 
> 
> ###
> 
> Binaries & Source:
> 
> https://dist.apache.org/repos/dist/dev/tomee/staging-1214/tomee-8.0.15/
> 
> ###
> 
> Tag:
> 
> https://github.com/apache/tomee/releases/tag/tomee-project-8.0.15
> 
> 
> ###
> 
> Release notes:
> 
> https://issues.apache.org/jira/secure/ReleaseNote.jspa?projectId=12312320&version=12352766
> 
> ###
> 
> Here is an adoc generated version of the changelog as well:
> 
> == Dependency upgrade
> 
> [.compact]
>  - link:https://issues.apache.org/jira/browse/TOMEE-4188[TOMEE-4188]
> ActiveMQ 5.16.6
>  - link:https://issues.apache.org/jira/browse/TOMEE-4180[TOMEE-4180]
> CXF 3.5.5
>  - link:https://issues.apache.org/jira/browse/TOMEE-4187[TOMEE-4187]
> Commons FileUpload 1.5
>  - link:https://issues.apache.org/jira/browse/TOMEE-4210[TOMEE-4210]
> EclipseLink 2.7.12
>  - link:https://issues.apache.org/jira/browse/TOMEE-4211[TOMEE-4211]
> Hibernate Integration 5.6.15.Final
>  - link:https://issues.apache.org/jira/browse/TOMEE-4206[TOMEE-4206]
> Jackson 2.15.0
>  - link:https://issues.apache.org/jira/browse/TOMEE-4207[TOMEE-4207]
> Johnzon 1.2.20
>  - link:https://issues.apache.org/jira/browse/TOMEE-4205[TOMEE-4205]
> Jose4j 0.9.3
>  - link:https://issues.apache.org/jira/browse/TOMEE-4209[TOMEE-4209]
> Mojarra 2.3.19
>  - link:https://issues.apache.org/jira/browse/TOMEE-4195[TOMEE-4195]
> Tomcat 9.0.72 (CVE-2023-28708)
>  - link:https://issues.apache.org/jira/browse/TOMEE-4191[TOMEE-4191]
> Tomcat 9.0.73
>  - link:https://issues.apache.org/jira/browse/TOMEE-4201[TOMEE-4201]
> Tomcat 9.0.74
>  - link:https://issues.apache.org/jira/browse/TOMEE-4194[TOMEE-4194]
> snakeyaml version 2.0 mitigate CVE-2022-1471
> 
> == Bug
> 
> [.compact]
>  - link:https://issues.apache.org/jira/browse/TOMEE-4192[TOMEE-4192]
> ApplicationComposers do not clear GC references on release
>  - link:https://issues.apache.org/jira/browse/TOMEE-4181[TOMEE-4181]
> BCProv jar loses its signature during the patch process
>  - link:https://issues.apache.org/jira/browse/TOMEE-4122[TOMEE-4122]
> Performance Regression in bean resolution in EAR files
>  - link:https://issues.apache.org/jira/browse/TOMEE-4189[TOMEE-4189]
> java.lang.ClassNotFoundException:
> org.apache.openejb.loader.SystemInstance
>  - link:https://issues.apache.org/jira/browse/TOMEE-4179[TOMEE-4179]
> Fix creeping in API JARs which should be in javaee-api
> 
> == Wish
> 
> [.compact]
>  - link:https://issues.apache.org/jira/browse/TOMEE-4190[TOMEE-4190]
> RunWithApplicationComposer should support inheritance
> 
> == Fixed Common Vulnerabilities and Exposures (CVEs)
> 
> [.compact]
>  - link:https://issues.apache.org/jira/browse/TOMEE-4194[TOMEE-4194]
> Update snakeyaml version to 2.0 to mitigate CVE-2022-1471
>  - link:https://issues.apache.org/jira/browse/TOMEE-4195[TOMEE-4195]
> Upgrade to Apache Tomcat 9.0.72 (CVE-2023-28708)
>  - link:https://issues.apache.org/jira/browse/TOMEE-4187[TOMEE-4187]
> Commons FileUpload 1.5
> 
> 
> ###
> 
> Here is the dependency diff from 8.0.14 to 8.0.15 created with our
> release tools:
> 
>   artifactId  from  to    
> ---  -
>  jackson-annotations 2.14.1   2.15.0  
>  jackson-core    2.14.1   2.15.0  
>  jackson-databind    2.14.1   2.15.0  
>  jackson-dataformat-yaml 2.14.1   2.15.0  
>  saaj-impl    1.5.1   1.5.3   
>  activemq-broker 5.16.5   5.16.6  
>  activemq-client 5.16.5   5.16.6  
>  activemq-jdbc-store 5.16.5   5.16.6  
>  activemq-kahadb-store   5.16.5   5.16.6  
>  activemq-openwire-legacy    5.16.5   5.16.6  
>  activemq-ra 5.16.5   5.16.6  
>  cxf-rt-rs-mp-client 3.4.10   3.5.5   
>  johnzon-core    1.2.19   1.2.20  
>  johnzon-jaxrs   1.2.19   1.2.20  
>  johnzon-jsonb   1.2.19   1.2.20  
>  johnzon-jsonp-strict    1.2.19   1.2.20  
>  johnzon-mapper  1.2.19   1.2.20  
>  xmlsec   2.2.3   2.3.2   
>  wss4j-bindings   2.3.3   2.4.1   
>  wss4j-policy 2.3.3   2.4.1   
>  wss4j-ws-security-common 2.3.

Re: [VOTE] TomEE 8.0.15

[Rod Jenkins]

This is a good week for me to get the docker images out.   I’ll be ready.

Rod. 

Sent from my iPhone

> On May 14, 2023, at 1:15 PM, Jean-Louis Monteiro  wrote:
> 
> I promise I'll have a look tomorrow morning
> 
> Le dim. 14 mai 2023, 20:02, Richard Zowalla  a écrit :
> 
>> Any more votes?
>> 
>> 
>>> Am Montag, dem 08.05.2023 um 14:50 +0200 schrieb Richard Zowalla:
>>> Hi all,
>>> 
>>> this is a vote for a release of Apache TomEE 8.0.15.
>>> 
>>> It is a maintenance release with some bug fixes and dependencies
>>> upgrades (addressing some CVEs)
>>> 
>>> ###
>>> 
>>> Maven Repo:
>>> https://repository.apache.org/content/repositories/orgapachetomee-1214/
>>> 
>>> 
>>> 
>>> tomee-8.0.15-rc1
>>> Testing TomEE 8.0.15 RC1
>>> 
>>> https://repository.apache.org/content/repositories/orgapachetomee-1214/
>>> 
>>> 
>>> 
>>> 
>>> ###
>>> 
>>> Binaries & Source:
>>> 
>>> https://dist.apache.org/repos/dist/dev/tomee/staging-1214/tomee-8.0.15/
>>> 
>>> ###
>>> 
>>> Tag:
>>> 
>>> https://github.com/apache/tomee/releases/tag/tomee-project-8.0.15
>>> 
>>> 
>>> ###
>>> 
>>> Release notes:
>>> 
>>> 
>> https://issues.apache.org/jira/secure/ReleaseNote.jspa?projectId=12312320&version=12352766
>>> 
>>> ###
>>> 
>>> Here is an adoc generated version of the changelog as well:
>>> 
>>> == Dependency upgrade
>>> 
>>> [.compact]
>>> - link:https://issues.apache.org/jira/browse/TOMEE-4188[TOMEE-4188]
>>> ActiveMQ 5.16.6
>>> - link:https://issues.apache.org/jira/browse/TOMEE-4180[TOMEE-4180]
>>> CXF 3.5.5
>>> - link:https://issues.apache.org/jira/browse/TOMEE-4187[TOMEE-4187]
>>> Commons FileUpload 1.5
>>> - link:https://issues.apache.org/jira/browse/TOMEE-4210[TOMEE-4210]
>>> EclipseLink 2.7.12
>>> - link:https://issues.apache.org/jira/browse/TOMEE-4211[TOMEE-4211]
>>> Hibernate Integration 5.6.15.Final
>>> - link:https://issues.apache.org/jira/browse/TOMEE-4206[TOMEE-4206]
>>> Jackson 2.15.0
>>> - link:https://issues.apache.org/jira/browse/TOMEE-4207[TOMEE-4207]
>>> Johnzon 1.2.20
>>> - link:https://issues.apache.org/jira/browse/TOMEE-4205[TOMEE-4205]
>>> Jose4j 0.9.3
>>> - link:https://issues.apache.org/jira/browse/TOMEE-4209[TOMEE-4209]
>>> Mojarra 2.3.19
>>> - link:https://issues.apache.org/jira/browse/TOMEE-4195[TOMEE-4195]
>>> Tomcat 9.0.72 (CVE-2023-28708)
>>> - link:https://issues.apache.org/jira/browse/TOMEE-4191[TOMEE-4191]
>>> Tomcat 9.0.73
>>> - link:https://issues.apache.org/jira/browse/TOMEE-4201[TOMEE-4201]
>>> Tomcat 9.0.74
>>> - link:https://issues.apache.org/jira/browse/TOMEE-4194[TOMEE-4194]
>>> snakeyaml version 2.0 mitigate CVE-2022-1471
>>> 
>>> == Bug
>>> 
>>> [.compact]
>>> - link:https://issues.apache.org/jira/browse/TOMEE-4192[TOMEE-4192]
>>> ApplicationComposers do not clear GC references on release
>>> - link:https://issues.apache.org/jira/browse/TOMEE-4181[TOMEE-4181]
>>> BCProv jar loses its signature during the patch process
>>> - link:https://issues.apache.org/jira/browse/TOMEE-4122[TOMEE-4122]
>>> Performance Regression in bean resolution in EAR files
>>> - link:https://issues.apache.org/jira/browse/TOMEE-4189[TOMEE-4189]
>>> java.lang.ClassNotFoundException:
>>> org.apache.openejb.loader.SystemInstance
>>> - link:https://issues.apache.org/jira/browse/TOMEE-4179[TOMEE-4179]
>>> Fix creeping in API JARs which should be in javaee-api
>>> 
>>> == Wish
>>> 
>>> [.compact]
>>> - link:https://issues.apache.org/jira/browse/TOMEE-4190[TOMEE-4190]
>>> RunWithApplicationComposer should support inheritance
>>> 
>>> == Fixed Common Vulnerabilities and Exposures (CVEs)
>>> 
>>> [.compact]
>>> - link:https://issues.apache.org/jira/browse/TOMEE-4194[TOMEE-4194]
>>> Update snakeyaml version to 2.0 to mitigate CVE-2022-1471
>>> - link:https://issues.apache.org/jira/browse/TOMEE-4195[TOMEE-4195]
>>> Upgrade to Apache Tomcat 9.0.72 (CVE-2023-28708)
>>> - link:https://issues.apache.org/jira/browse/TOMEE-4187[TOMEE-4187]
>>> Commons FileUpload 1.5
>>> 
>>> 
>>> ###
>>> 
>>> Here is the dependency diff from 8.0.14 to 8.0.15 created with our
>>> release tools:
>>> 
>>>  artifactId  from  to
>>> ---  -
>>> jackson-annotations 2.14.1   2.15.0
>>> jackson-core2.14.1   2.15.0
>>> jackson-databind2.14.1   2.15.0
>>> jackson-dataformat-yaml 2.14.1   2.15.0
>>> saaj-impl1.5.1   1.5.3
>>> activemq-broker 5.16.5   5.16.6
>>> activemq-client 5.16.5   5.16.6
>>> activemq-jdbc-store 5.16.5   5.16.6
>>> activemq-kahadb-store   5.16.5   5.16.6
>>> activemq-openwire-legacy5.16.5   5.16.6
>>> activemq-ra 5.16.5   5.16.6
>>> cxf-rt-rs-mp-client 3.4.10   3.5.5
>>> johnzon-core1.2.19   1.2.20
>>> johnzon-jaxrs   1.2.19   1.2.20
>>> johnzon-jsonb   1.2.19   1.2.20
>>> 

Re: [VOTE] TomEE 8.0.15

[Jean-Louis Monteiro]

I promise I'll have a look tomorrow morning

Le dim. 14 mai 2023, 20:02, Richard Zowalla  a écrit :

> Any more votes?
>
>
> Am Montag, dem 08.05.2023 um 14:50 +0200 schrieb Richard Zowalla:
> > Hi all,
> >
> > this is a vote for a release of Apache TomEE 8.0.15.
> >
> > It is a maintenance release with some bug fixes and dependencies
> > upgrades (addressing some CVEs)
> >
> > ###
> >
> > Maven Repo:
> > https://repository.apache.org/content/repositories/orgapachetomee-1214/
> >
> > 
> > 
> > tomee-8.0.15-rc1
> > Testing TomEE 8.0.15 RC1
> > 
> > https://repository.apache.org/content/repositories/orgapachetomee-1214/
> > 
> > 
> > 
> >
> > ###
> >
> > Binaries & Source:
> >
> > https://dist.apache.org/repos/dist/dev/tomee/staging-1214/tomee-8.0.15/
> >
> > ###
> >
> > Tag:
> >
> > https://github.com/apache/tomee/releases/tag/tomee-project-8.0.15
> >
> >
> > ###
> >
> > Release notes:
> >
> >
> https://issues.apache.org/jira/secure/ReleaseNote.jspa?projectId=12312320&version=12352766
> >
> > ###
> >
> > Here is an adoc generated version of the changelog as well:
> >
> > == Dependency upgrade
> >
> > [.compact]
> >  - link:https://issues.apache.org/jira/browse/TOMEE-4188[TOMEE-4188]
> > ActiveMQ 5.16.6
> >  - link:https://issues.apache.org/jira/browse/TOMEE-4180[TOMEE-4180]
> > CXF 3.5.5
> >  - link:https://issues.apache.org/jira/browse/TOMEE-4187[TOMEE-4187]
> > Commons FileUpload 1.5
> >  - link:https://issues.apache.org/jira/browse/TOMEE-4210[TOMEE-4210]
> > EclipseLink 2.7.12
> >  - link:https://issues.apache.org/jira/browse/TOMEE-4211[TOMEE-4211]
> > Hibernate Integration 5.6.15.Final
> >  - link:https://issues.apache.org/jira/browse/TOMEE-4206[TOMEE-4206]
> > Jackson 2.15.0
> >  - link:https://issues.apache.org/jira/browse/TOMEE-4207[TOMEE-4207]
> > Johnzon 1.2.20
> >  - link:https://issues.apache.org/jira/browse/TOMEE-4205[TOMEE-4205]
> > Jose4j 0.9.3
> >  - link:https://issues.apache.org/jira/browse/TOMEE-4209[TOMEE-4209]
> > Mojarra 2.3.19
> >  - link:https://issues.apache.org/jira/browse/TOMEE-4195[TOMEE-4195]
> > Tomcat 9.0.72 (CVE-2023-28708)
> >  - link:https://issues.apache.org/jira/browse/TOMEE-4191[TOMEE-4191]
> > Tomcat 9.0.73
> >  - link:https://issues.apache.org/jira/browse/TOMEE-4201[TOMEE-4201]
> > Tomcat 9.0.74
> >  - link:https://issues.apache.org/jira/browse/TOMEE-4194[TOMEE-4194]
> > snakeyaml version 2.0 mitigate CVE-2022-1471
> >
> > == Bug
> >
> > [.compact]
> >  - link:https://issues.apache.org/jira/browse/TOMEE-4192[TOMEE-4192]
> > ApplicationComposers do not clear GC references on release
> >  - link:https://issues.apache.org/jira/browse/TOMEE-4181[TOMEE-4181]
> > BCProv jar loses its signature during the patch process
> >  - link:https://issues.apache.org/jira/browse/TOMEE-4122[TOMEE-4122]
> > Performance Regression in bean resolution in EAR files
> >  - link:https://issues.apache.org/jira/browse/TOMEE-4189[TOMEE-4189]
> > java.lang.ClassNotFoundException:
> > org.apache.openejb.loader.SystemInstance
> >  - link:https://issues.apache.org/jira/browse/TOMEE-4179[TOMEE-4179]
> > Fix creeping in API JARs which should be in javaee-api
> >
> > == Wish
> >
> > [.compact]
> >  - link:https://issues.apache.org/jira/browse/TOMEE-4190[TOMEE-4190]
> > RunWithApplicationComposer should support inheritance
> >
> > == Fixed Common Vulnerabilities and Exposures (CVEs)
> >
> > [.compact]
> >  - link:https://issues.apache.org/jira/browse/TOMEE-4194[TOMEE-4194]
> > Update snakeyaml version to 2.0 to mitigate CVE-2022-1471
> >  - link:https://issues.apache.org/jira/browse/TOMEE-4195[TOMEE-4195]
> > Upgrade to Apache Tomcat 9.0.72 (CVE-2023-28708)
> >  - link:https://issues.apache.org/jira/browse/TOMEE-4187[TOMEE-4187]
> > Commons FileUpload 1.5
> >
> >
> > ###
> >
> > Here is the dependency diff from 8.0.14 to 8.0.15 created with our
> > release tools:
> >
> >   artifactId  from  to
> > ---  -
> >  jackson-annotations 2.14.1   2.15.0
> >  jackson-core2.14.1   2.15.0
> >  jackson-databind2.14.1   2.15.0
> >  jackson-dataformat-yaml 2.14.1   2.15.0
> >  saaj-impl1.5.1   1.5.3
> >  activemq-broker 5.16.5   5.16.6
> >  activemq-client 5.16.5   5.16.6
> >  activemq-jdbc-store 5.16.5   5.16.6
> >  activemq-kahadb-store   5.16.5   5.16.6
> >  activemq-openwire-legacy5.16.5   5.16.6
> >  activemq-ra 5.16.5   5.16.6
> >  cxf-rt-rs-mp-client 3.4.10   3.5.5
> >  johnzon-core1.2.19   1.2.20
> >  johnzon-jaxrs   1.2.19   1.2.20
> >  johnzon-jsonb   1.2.19   1.2.20
> >  johnzon-jsonp-strict1.2.19   1.2.20
> >  johnzon-mapper  1.2.19   1.2.20
> >  xmlsec   2.2.3   2.3.2
> >  wss4j-bindings 

Re: [VOTE] TomEE 8.0.15

[Richard Zowalla]

Any more votes?


Am Montag, dem 08.05.2023 um 14:50 +0200 schrieb Richard Zowalla:
> Hi all,
> 
> this is a vote for a release of Apache TomEE 8.0.15.
> 
> It is a maintenance release with some bug fixes and dependencies
> upgrades (addressing some CVEs)
> 
> ###
> 
> Maven Repo:
> https://repository.apache.org/content/repositories/orgapachetomee-1214/
> 
> 
> 
> tomee-8.0.15-rc1
> Testing TomEE 8.0.15 RC1
> 
> https://repository.apache.org/content/repositories/orgapachetomee-1214/
> 
> 
> 
> 
> ###
> 
> Binaries & Source:
> 
> https://dist.apache.org/repos/dist/dev/tomee/staging-1214/tomee-8.0.15/
> 
> ###
> 
> Tag:
> 
> https://github.com/apache/tomee/releases/tag/tomee-project-8.0.15
> 
> 
> ###
> 
> Release notes:
> 
> https://issues.apache.org/jira/secure/ReleaseNote.jspa?projectId=12312320&version=12352766
> 
> ###
> 
> Here is an adoc generated version of the changelog as well:
> 
> == Dependency upgrade
> 
> [.compact]
>  - link:https://issues.apache.org/jira/browse/TOMEE-4188[TOMEE-4188]
> ActiveMQ 5.16.6
>  - link:https://issues.apache.org/jira/browse/TOMEE-4180[TOMEE-4180]
> CXF 3.5.5
>  - link:https://issues.apache.org/jira/browse/TOMEE-4187[TOMEE-4187]
> Commons FileUpload 1.5
>  - link:https://issues.apache.org/jira/browse/TOMEE-4210[TOMEE-4210]
> EclipseLink 2.7.12
>  - link:https://issues.apache.org/jira/browse/TOMEE-4211[TOMEE-4211]
> Hibernate Integration 5.6.15.Final
>  - link:https://issues.apache.org/jira/browse/TOMEE-4206[TOMEE-4206]
> Jackson 2.15.0
>  - link:https://issues.apache.org/jira/browse/TOMEE-4207[TOMEE-4207]
> Johnzon 1.2.20
>  - link:https://issues.apache.org/jira/browse/TOMEE-4205[TOMEE-4205]
> Jose4j 0.9.3
>  - link:https://issues.apache.org/jira/browse/TOMEE-4209[TOMEE-4209]
> Mojarra 2.3.19
>  - link:https://issues.apache.org/jira/browse/TOMEE-4195[TOMEE-4195]
> Tomcat 9.0.72 (CVE-2023-28708)
>  - link:https://issues.apache.org/jira/browse/TOMEE-4191[TOMEE-4191]
> Tomcat 9.0.73
>  - link:https://issues.apache.org/jira/browse/TOMEE-4201[TOMEE-4201]
> Tomcat 9.0.74
>  - link:https://issues.apache.org/jira/browse/TOMEE-4194[TOMEE-4194]
> snakeyaml version 2.0 mitigate CVE-2022-1471
> 
> == Bug
> 
> [.compact]
>  - link:https://issues.apache.org/jira/browse/TOMEE-4192[TOMEE-4192]
> ApplicationComposers do not clear GC references on release
>  - link:https://issues.apache.org/jira/browse/TOMEE-4181[TOMEE-4181]
> BCProv jar loses its signature during the patch process
>  - link:https://issues.apache.org/jira/browse/TOMEE-4122[TOMEE-4122]
> Performance Regression in bean resolution in EAR files
>  - link:https://issues.apache.org/jira/browse/TOMEE-4189[TOMEE-4189]
> java.lang.ClassNotFoundException:
> org.apache.openejb.loader.SystemInstance
>  - link:https://issues.apache.org/jira/browse/TOMEE-4179[TOMEE-4179]
> Fix creeping in API JARs which should be in javaee-api
> 
> == Wish
> 
> [.compact]
>  - link:https://issues.apache.org/jira/browse/TOMEE-4190[TOMEE-4190]
> RunWithApplicationComposer should support inheritance
> 
> == Fixed Common Vulnerabilities and Exposures (CVEs)
> 
> [.compact]
>  - link:https://issues.apache.org/jira/browse/TOMEE-4194[TOMEE-4194]
> Update snakeyaml version to 2.0 to mitigate CVE-2022-1471
>  - link:https://issues.apache.org/jira/browse/TOMEE-4195[TOMEE-4195]
> Upgrade to Apache Tomcat 9.0.72 (CVE-2023-28708)
>  - link:https://issues.apache.org/jira/browse/TOMEE-4187[TOMEE-4187]
> Commons FileUpload 1.5
> 
> 
> ###
> 
> Here is the dependency diff from 8.0.14 to 8.0.15 created with our
> release tools:
> 
>   artifactId  from  to    
> ---  -
>  jackson-annotations 2.14.1   2.15.0  
>  jackson-core    2.14.1   2.15.0  
>  jackson-databind    2.14.1   2.15.0  
>  jackson-dataformat-yaml 2.14.1   2.15.0  
>  saaj-impl    1.5.1   1.5.3   
>  activemq-broker 5.16.5   5.16.6  
>  activemq-client 5.16.5   5.16.6  
>  activemq-jdbc-store 5.16.5   5.16.6  
>  activemq-kahadb-store   5.16.5   5.16.6  
>  activemq-openwire-legacy    5.16.5   5.16.6  
>  activemq-ra 5.16.5   5.16.6  
>  cxf-rt-rs-mp-client 3.4.10   3.5.5   
>  johnzon-core    1.2.19   1.2.20  
>  johnzon-jaxrs   1.2.19   1.2.20  
>  johnzon-jsonb   1.2.19   1.2.20  
>  johnzon-jsonp-strict    1.2.19   1.2.20  
>  johnzon-mapper  1.2.19   1.2.20  
>  xmlsec   2.2.3   2.3.2   
>  wss4j-bindings   2.3.3   2.4.1   
>  wss4j-policy 2.3.3   2.4.1   
>  wss4j-ws-security-common 2.3.3   2.4.1  

Re: [VOTE] TomEE 8.0.15

[Richard Zowalla]

Thanks for testing the release candidate, Alex! It is very much
appreciated.

Regarding TomEE 9.0.x / 9.1.x - yes, we were discussing doing a
release. We need to run the tck to get some actual numbers after the
updates for it, but I am confident, that we didn't broke too much. Stay
tuned.

Gruß
Richard


Am Sonntag, dem 14.05.2023 um 18:29 +0200 schrieb Alex The Rocker:
> On a side note, shouldn't there be a TomEE 9.0.1 with al least same
> fixes as 8.0.15 - security fixes of course, but bug fixes as well if
> any ?
> Having TomEE 9.0.0 lagging behind in term of security & bug fixes
> wouldn't be a good incentive for Jakarta EE adoption, isn't it ?
> 
> Thanks,
> Alex
> 
> Le dim. 14 mai 2023 à 18:26, Alex The Rocker  a
> écrit :
> > 
> > +1 (non-binding)
> > 
> > Tested with several web apps based on servlet, JAX-RS, JAX-WS,
> > websockets, JMS, EJB ; with IBM Semeru 17.0.6 Java runtime on Linux
> > CentOS 7.9, and found no regressions.
> > (I was curious about impact of snakeyaml update to major 2.0
> > version,
> > my web apps rely on snakeyaml, and got no issue with Yaml parsing
> > with
> > this upgrade).
> > 
> > Thanks!
> > Alex
> > 
> > Le lun. 8 mai 2023 à 14:50, Richard Zowalla  a
> > écrit :
> > > 
> > > Hi all,
> > > 
> > > this is a vote for a release of Apache TomEE 8.0.15.
> > > 
> > > It is a maintenance release with some bug fixes and dependencies
> > > upgrades (addressing some CVEs)
> > > 
> > > ###
> > > 
> > > Maven Repo:
> > > https://repository.apache.org/content/repositories/orgapachetomee-1214/
> > > 
> > > 
> > > 
> > > tomee-8.0.15-rc1
> > > Testing TomEE 8.0.15 RC1
> > > 
> > > https://repository.apache.org/content/repositories/orgapachetomee-1214/
> > > 
> > > 
> > > 
> > > 
> > > ###
> > > 
> > > Binaries & Source:
> > > 
> > > https://dist.apache.org/repos/dist/dev/tomee/staging-1214/tomee-8.0.15/
> > > 
> > > ###
> > > 
> > > Tag:
> > > 
> > > https://github.com/apache/tomee/releases/tag/tomee-project-8.0.15
> > > 
> > > 
> > > ###
> > > 
> > > Release notes:
> > > 
> > > https://issues.apache.org/jira/secure/ReleaseNote.jspa?projectId=12312320&version=12352766
> > > 
> > > ###
> > > 
> > > Here is an adoc generated version of the changelog as well:
> > > 
> > > == Dependency upgrade
> > > 
> > > [.compact]
> > >  -
> > > link:https://issues.apache.org/jira/browse/TOMEE-4188[TOMEE-4188]
> > > ActiveMQ 5.16.6
> > >  -
> > > link:https://issues.apache.org/jira/browse/TOMEE-4180[TOMEE-4180]
> > > CXF 3.5.5
> > >  -
> > > link:https://issues.apache.org/jira/browse/TOMEE-4187[TOMEE-4187]
> > > Commons FileUpload 1.5
> > >  -
> > > link:https://issues.apache.org/jira/browse/TOMEE-4210[TOMEE-4210]
> > > EclipseLink 2.7.12
> > >  -
> > > link:https://issues.apache.org/jira/browse/TOMEE-4211[TOMEE-4211]
> > > Hibernate Integration 5.6.15.Final
> > >  -
> > > link:https://issues.apache.org/jira/browse/TOMEE-4206[TOMEE-4206]
> > > Jackson 2.15.0
> > >  -
> > > link:https://issues.apache.org/jira/browse/TOMEE-4207[TOMEE-4207]
> > > Johnzon 1.2.20
> > >  -
> > > link:https://issues.apache.org/jira/browse/TOMEE-4205[TOMEE-4205]
> > > Jose4j 0.9.3
> > >  -
> > > link:https://issues.apache.org/jira/browse/TOMEE-4209[TOMEE-4209]
> > > Mojarra 2.3.19
> > >  -
> > > link:https://issues.apache.org/jira/browse/TOMEE-4195[TOMEE-4195]
> > > Tomcat 9.0.72 (CVE-2023-28708)
> > >  -
> > > link:https://issues.apache.org/jira/browse/TOMEE-4191[TOMEE-4191]
> > > Tomcat 9.0.73
> > >  -
> > > link:https://issues.apache.org/jira/browse/TOMEE-4201[TOMEE-4201]
> > > Tomcat 9.0.74
> > >  -
> > > link:https://issues.apache.org/jira/browse/TOMEE-4194[TOMEE-4194]
> > > snakeyaml version 2.0 mitigate CVE-2022-1471
> > > 
> > > == Bug
> > > 
> > > [.compact]
> > >  -
> > > link:https://issues.apache.org/jira/browse/TOMEE-4192[TOMEE-4192]
> > > ApplicationComposers do not clear GC references on release
> > >  -
> > > link:https://issues.apache.org/jira/browse/TOMEE-4181[TOMEE-4181]
> > > BCProv jar loses its signature during the patch process
> > >  -
> > > link:https://issues.apache.org/jira/browse/TOMEE-4122[TOMEE-4122]
> > > Performance Regression in bean resolution in EAR files
> > >  -
> > > link:https://issues.apache.org/jira/browse/TOMEE-4189[TOMEE-4189]
> > > java.lang.ClassNotFoundException:
> > > org.apache.openejb.loader.SystemInstance
> > >  -
> > > link:https://issues.apache.org/jira/browse/TOMEE-4179[TOMEE-4179]
> > > Fix creeping in API JARs which should be in javaee-api
> > > 
> > > == Wish
> > > 
> > > [.compact]
> > >  -
> > > link:https://issues.apache.org/jira/browse/TOMEE-4190[TOMEE-4190]
> > > RunWithApplicationComposer should support inheritance
> > > 
> > > == Fixed Common Vulnerabilities and Exposures (CVEs)
> > > 
> > > [.compact]
> > >  -
> > > link:https://issues.apache.org/jira/browse/TOMEE-4194[TOMEE-4194]
> > > Update snakeyaml version to 2.0 to mitigate CVE-2022-1471
> > >  -
> > > link:https://issues.apache.org/jira/browse/

Re: [VOTE] TomEE 8.0.15

[Alex The Rocker]

On a side note, shouldn't there be a TomEE 9.0.1 with al least same
fixes as 8.0.15 - security fixes of course, but bug fixes as well if
any ?
Having TomEE 9.0.0 lagging behind in term of security & bug fixes
wouldn't be a good incentive for Jakarta EE adoption, isn't it ?

Thanks,
Alex

Le dim. 14 mai 2023 à 18:26, Alex The Rocker  a écrit :
>
> +1 (non-binding)
>
> Tested with several web apps based on servlet, JAX-RS, JAX-WS,
> websockets, JMS, EJB ; with IBM Semeru 17.0.6 Java runtime on Linux
> CentOS 7.9, and found no regressions.
> (I was curious about impact of snakeyaml update to major 2.0 version,
> my web apps rely on snakeyaml, and got no issue with Yaml parsing with
> this upgrade).
>
> Thanks!
> Alex
>
> Le lun. 8 mai 2023 à 14:50, Richard Zowalla  a écrit :
> >
> > Hi all,
> >
> > this is a vote for a release of Apache TomEE 8.0.15.
> >
> > It is a maintenance release with some bug fixes and dependencies
> > upgrades (addressing some CVEs)
> >
> > ###
> >
> > Maven Repo:
> > https://repository.apache.org/content/repositories/orgapachetomee-1214/
> >
> > 
> > 
> > tomee-8.0.15-rc1
> > Testing TomEE 8.0.15 RC1
> > 
> > https://repository.apache.org/content/repositories/orgapachetomee-1214/
> > 
> > 
> > 
> >
> > ###
> >
> > Binaries & Source:
> >
> > https://dist.apache.org/repos/dist/dev/tomee/staging-1214/tomee-8.0.15/
> >
> > ###
> >
> > Tag:
> >
> > https://github.com/apache/tomee/releases/tag/tomee-project-8.0.15
> >
> >
> > ###
> >
> > Release notes:
> >
> > https://issues.apache.org/jira/secure/ReleaseNote.jspa?projectId=12312320&version=12352766
> >
> > ###
> >
> > Here is an adoc generated version of the changelog as well:
> >
> > == Dependency upgrade
> >
> > [.compact]
> >  - link:https://issues.apache.org/jira/browse/TOMEE-4188[TOMEE-4188]
> > ActiveMQ 5.16.6
> >  - link:https://issues.apache.org/jira/browse/TOMEE-4180[TOMEE-4180]
> > CXF 3.5.5
> >  - link:https://issues.apache.org/jira/browse/TOMEE-4187[TOMEE-4187]
> > Commons FileUpload 1.5
> >  - link:https://issues.apache.org/jira/browse/TOMEE-4210[TOMEE-4210]
> > EclipseLink 2.7.12
> >  - link:https://issues.apache.org/jira/browse/TOMEE-4211[TOMEE-4211]
> > Hibernate Integration 5.6.15.Final
> >  - link:https://issues.apache.org/jira/browse/TOMEE-4206[TOMEE-4206]
> > Jackson 2.15.0
> >  - link:https://issues.apache.org/jira/browse/TOMEE-4207[TOMEE-4207]
> > Johnzon 1.2.20
> >  - link:https://issues.apache.org/jira/browse/TOMEE-4205[TOMEE-4205]
> > Jose4j 0.9.3
> >  - link:https://issues.apache.org/jira/browse/TOMEE-4209[TOMEE-4209]
> > Mojarra 2.3.19
> >  - link:https://issues.apache.org/jira/browse/TOMEE-4195[TOMEE-4195]
> > Tomcat 9.0.72 (CVE-2023-28708)
> >  - link:https://issues.apache.org/jira/browse/TOMEE-4191[TOMEE-4191]
> > Tomcat 9.0.73
> >  - link:https://issues.apache.org/jira/browse/TOMEE-4201[TOMEE-4201]
> > Tomcat 9.0.74
> >  - link:https://issues.apache.org/jira/browse/TOMEE-4194[TOMEE-4194]
> > snakeyaml version 2.0 mitigate CVE-2022-1471
> >
> > == Bug
> >
> > [.compact]
> >  - link:https://issues.apache.org/jira/browse/TOMEE-4192[TOMEE-4192]
> > ApplicationComposers do not clear GC references on release
> >  - link:https://issues.apache.org/jira/browse/TOMEE-4181[TOMEE-4181]
> > BCProv jar loses its signature during the patch process
> >  - link:https://issues.apache.org/jira/browse/TOMEE-4122[TOMEE-4122]
> > Performance Regression in bean resolution in EAR files
> >  - link:https://issues.apache.org/jira/browse/TOMEE-4189[TOMEE-4189]
> > java.lang.ClassNotFoundException:
> > org.apache.openejb.loader.SystemInstance
> >  - link:https://issues.apache.org/jira/browse/TOMEE-4179[TOMEE-4179]
> > Fix creeping in API JARs which should be in javaee-api
> >
> > == Wish
> >
> > [.compact]
> >  - link:https://issues.apache.org/jira/browse/TOMEE-4190[TOMEE-4190]
> > RunWithApplicationComposer should support inheritance
> >
> > == Fixed Common Vulnerabilities and Exposures (CVEs)
> >
> > [.compact]
> >  - link:https://issues.apache.org/jira/browse/TOMEE-4194[TOMEE-4194]
> > Update snakeyaml version to 2.0 to mitigate CVE-2022-1471
> >  - link:https://issues.apache.org/jira/browse/TOMEE-4195[TOMEE-4195]
> > Upgrade to Apache Tomcat 9.0.72 (CVE-2023-28708)
> >  - link:https://issues.apache.org/jira/browse/TOMEE-4187[TOMEE-4187]
> > Commons FileUpload 1.5
> >
> >
> > ###
> >
> > Here is the dependency diff from 8.0.14 to 8.0.15 created with our
> > release tools:
> >
> >   artifactId  from  to
> > ---  -
> >  jackson-annotations 2.14.1   2.15.0
> >  jackson-core2.14.1   2.15.0
> >  jackson-databind2.14.1   2.15.0
> >  jackson-dataformat-yaml 2.14.1   2.15.0
> >  saaj-impl1.5.1   1.5.3
> >  activemq-broker 5.16.5   5.16.6
> >  activemq-client 5.16.5   5.16.6
> >  ac

Re: [VOTE] TomEE 8.0.15

[Alex The Rocker]

+1 (non-binding)

Tested with several web apps based on servlet, JAX-RS, JAX-WS,
websockets, JMS, EJB ; with IBM Semeru 17.0.6 Java runtime on Linux
CentOS 7.9, and found no regressions.
(I was curious about impact of snakeyaml update to major 2.0 version,
my web apps rely on snakeyaml, and got no issue with Yaml parsing with
this upgrade).

Thanks!
Alex

Le lun. 8 mai 2023 à 14:50, Richard Zowalla  a écrit :
>
> Hi all,
>
> this is a vote for a release of Apache TomEE 8.0.15.
>
> It is a maintenance release with some bug fixes and dependencies
> upgrades (addressing some CVEs)
>
> ###
>
> Maven Repo:
> https://repository.apache.org/content/repositories/orgapachetomee-1214/
>
> 
> 
> tomee-8.0.15-rc1
> Testing TomEE 8.0.15 RC1
> 
> https://repository.apache.org/content/repositories/orgapachetomee-1214/
> 
> 
> 
>
> ###
>
> Binaries & Source:
>
> https://dist.apache.org/repos/dist/dev/tomee/staging-1214/tomee-8.0.15/
>
> ###
>
> Tag:
>
> https://github.com/apache/tomee/releases/tag/tomee-project-8.0.15
>
>
> ###
>
> Release notes:
>
> https://issues.apache.org/jira/secure/ReleaseNote.jspa?projectId=12312320&version=12352766
>
> ###
>
> Here is an adoc generated version of the changelog as well:
>
> == Dependency upgrade
>
> [.compact]
>  - link:https://issues.apache.org/jira/browse/TOMEE-4188[TOMEE-4188]
> ActiveMQ 5.16.6
>  - link:https://issues.apache.org/jira/browse/TOMEE-4180[TOMEE-4180]
> CXF 3.5.5
>  - link:https://issues.apache.org/jira/browse/TOMEE-4187[TOMEE-4187]
> Commons FileUpload 1.5
>  - link:https://issues.apache.org/jira/browse/TOMEE-4210[TOMEE-4210]
> EclipseLink 2.7.12
>  - link:https://issues.apache.org/jira/browse/TOMEE-4211[TOMEE-4211]
> Hibernate Integration 5.6.15.Final
>  - link:https://issues.apache.org/jira/browse/TOMEE-4206[TOMEE-4206]
> Jackson 2.15.0
>  - link:https://issues.apache.org/jira/browse/TOMEE-4207[TOMEE-4207]
> Johnzon 1.2.20
>  - link:https://issues.apache.org/jira/browse/TOMEE-4205[TOMEE-4205]
> Jose4j 0.9.3
>  - link:https://issues.apache.org/jira/browse/TOMEE-4209[TOMEE-4209]
> Mojarra 2.3.19
>  - link:https://issues.apache.org/jira/browse/TOMEE-4195[TOMEE-4195]
> Tomcat 9.0.72 (CVE-2023-28708)
>  - link:https://issues.apache.org/jira/browse/TOMEE-4191[TOMEE-4191]
> Tomcat 9.0.73
>  - link:https://issues.apache.org/jira/browse/TOMEE-4201[TOMEE-4201]
> Tomcat 9.0.74
>  - link:https://issues.apache.org/jira/browse/TOMEE-4194[TOMEE-4194]
> snakeyaml version 2.0 mitigate CVE-2022-1471
>
> == Bug
>
> [.compact]
>  - link:https://issues.apache.org/jira/browse/TOMEE-4192[TOMEE-4192]
> ApplicationComposers do not clear GC references on release
>  - link:https://issues.apache.org/jira/browse/TOMEE-4181[TOMEE-4181]
> BCProv jar loses its signature during the patch process
>  - link:https://issues.apache.org/jira/browse/TOMEE-4122[TOMEE-4122]
> Performance Regression in bean resolution in EAR files
>  - link:https://issues.apache.org/jira/browse/TOMEE-4189[TOMEE-4189]
> java.lang.ClassNotFoundException:
> org.apache.openejb.loader.SystemInstance
>  - link:https://issues.apache.org/jira/browse/TOMEE-4179[TOMEE-4179]
> Fix creeping in API JARs which should be in javaee-api
>
> == Wish
>
> [.compact]
>  - link:https://issues.apache.org/jira/browse/TOMEE-4190[TOMEE-4190]
> RunWithApplicationComposer should support inheritance
>
> == Fixed Common Vulnerabilities and Exposures (CVEs)
>
> [.compact]
>  - link:https://issues.apache.org/jira/browse/TOMEE-4194[TOMEE-4194]
> Update snakeyaml version to 2.0 to mitigate CVE-2022-1471
>  - link:https://issues.apache.org/jira/browse/TOMEE-4195[TOMEE-4195]
> Upgrade to Apache Tomcat 9.0.72 (CVE-2023-28708)
>  - link:https://issues.apache.org/jira/browse/TOMEE-4187[TOMEE-4187]
> Commons FileUpload 1.5
>
>
> ###
>
> Here is the dependency diff from 8.0.14 to 8.0.15 created with our
> release tools:
>
>   artifactId  from  to
> ---  -
>  jackson-annotations 2.14.1   2.15.0
>  jackson-core2.14.1   2.15.0
>  jackson-databind2.14.1   2.15.0
>  jackson-dataformat-yaml 2.14.1   2.15.0
>  saaj-impl1.5.1   1.5.3
>  activemq-broker 5.16.5   5.16.6
>  activemq-client 5.16.5   5.16.6
>  activemq-jdbc-store 5.16.5   5.16.6
>  activemq-kahadb-store   5.16.5   5.16.6
>  activemq-openwire-legacy5.16.5   5.16.6
>  activemq-ra 5.16.5   5.16.6
>  cxf-rt-rs-mp-client 3.4.10   3.5.5
>  johnzon-core1.2.19   1.2.20
>  johnzon-jaxrs   1.2.19   1.2.20
>  johnzon-jsonb   1.2.19   1.2.20
>  johnzon-jsonp-strict1.2.19   1.2.20
>  johnzon-mapper  1.2.19   1.2.20
>  xmlsec   2.2.3   2.3.2
>  wss4j-bindings   2.3.3   2.4.1
>  wss4j-pol

Re: [VOTE] TomEE 8.0.15

[Richard Zowalla]

Hi Alex,

importing the KEYS does not mean, that you "trust" the imported keys.
After importing the KEYS, you can verify, that the signature is good,
i.e. the file has not been tampered with.

However, due to the nature of public key cryptography, you need to
additionally verify that the key was created by the "real" Richard :-)

That means, you need to tell your PGP setup, that you "trust" the key
from me you previously imported in step 1, see details in [1].

Determing what the "level of trust" needs to be, is up to you. Some
people validate their key by face-to-face communication, voice
verification over phone or just trust the provided file in [2] by
default. For example you could also validate my key in [3] with the one
provided in [2] to be sure, that nobody has been tampering with the
KEYS file ;)

Hope it helps
Richard


[1] https://www.apache.org/info/verification.html#Validating
[2] https://downloads.apache.org/tomee/KEYS
[3] https://people.apache.org/keys/committer/rzo1


Am Mittwoch, dem 10.05.2023 um 11:43 +0200 schrieb Alex The Rocker:
> Hello Richard,
> 
> Thanks for your answer, but I'm still confused: I previously imported
> TOMEE's Keys from
> https://downloads.apache.org/tomee/KEYS, so the "you should get
> knowledge of my key id
> (better complete fingerprint) on another, trustfully way" step is
> done, and yet gpg prints the warning.
> 
> Am I missing something?
> 
> Alex
> 
> Le mer. 10 mai 2023 à 11:38, Richard Zowalla  a
> écrit :
> > 
> > Hi,
> > 
> > the signature could be successfully verified, that means it was
> > really
> > signed with my private key. The key claims it belongs to "Richard
> > Zowalla".
> > 
> > Yet, your GnuPG setup does not trustthis key. Everybody could
> > create a
> > key for "Richard Zowalla"; all you know is somebody that created a
> > key
> > with user ID "Richard Zowalla" signed the artifact.
> > 
> > To be sure about whether the signer of the artifact is really who
> > he
> > claims to be (Ricahrd zowalla), you should get knowledge of my key
> > id
> > (better complete fingerprint) on another, trustfully way (it must
> > not
> > necessarily be secure, as only public information, namely the
> > public
> > key id, is transferred) - which you have done by downloading the
> > KEYS
> > file from the official ASF location.
> > 
> > After that, you would need to sign the key (depending on the level
> > of
> > trust for your use-case this might involve additional verification
> > steps). All keys you signed (and thus their signatures) will be
> > 'verified' in future.
> > 
> > The process is also described in [1]
> > 
> > Hope it helps.
> > 
> > Gruß
> > Richard
> > 
> > [1] https://www.apache.org/info/verification.html#Validating
> > 
> > Am Mittwoch, dem 10.05.2023 um 10:46 +0200 schrieb Alex The Rocker:
> > > Hello,
> > > 
> > > I have a doubt with this signature test:
> > > 
> > > wget
> > > https://dist.apache.org/repos/dist/dev/tomee/staging-1214/tomee-8.0.15/apache-tomee-8.0.15-plus.tar.gz
> > > cat > apache-tomee-8.0.15-plus.tar.gz.asc
> > > (here I copy paste the contents of
> > > https://dist.apache.org/repos/dist/dev/tomee/staging-1214/tomee-8.0.15/apache-tomee-8.0.15-plus.tar.gz.asc
> > > ,
> > > then I type control-D)
> > > $ gpg --verify apache-tomee-8.0.15-plus.tar.gz.asc
> > > apache-tomee-8.0.15-plus.tar.gz
> > > gpg: Signature made Mon 08 May 2023 02:36:20 PM CEST using RSA
> > > key ID
> > > E5B8A431
> > > gpg: Good signature from "Richard Zowalla (Code Signing Key)
> > > "
> > > gpg: WARNING: This key is not certified with a trusted signature!
> > > gpg:  There is no indication that the signature belongs
> > > to
> > > the owner.
> > > Primary key fingerprint: B83D 15E7 2253 ED11 04EB  4FBB DAB4 72F0
> > > E5B8 A431
> > > 
> > > Isn't the warning a bit scary ?
> > > 
> > > Note: I previously imported TOMEE's Keys from
> > > https://downloads.apache.org/tomee/KEYS which I save into a file
> > > /tmp/KEYS.tst, then used:
> > > gpg --import /tmp/KEYS.txt
> > > 
> > > Isn't there a way to make sure gpg won't complain about the
> > > trustiness
> > > of the signature ?
> > > 
> > > Thanks,
> > > Alex
> > > 
> > > Le lun. 8 mai 2023 à 14:50, Richard Zowalla  a
> > > écrit
> > > :
> > > > 
> > > > Hi all,
> > > > 
> > > > this is a vote for a release of Apache TomEE 8.0.15.
> > > > 
> > > > It is a maintenance release with some bug fixes and
> > > > dependencies
> > > > upgrades (addressing some CVEs)
> > > > 
> > > > ###
> > > > 
> > > > Maven Repo:
> > > > https://repository.apache.org/content/repositories/orgapachetomee-1214/
> > > > 
> > > > 
> > > > 
> > > > tomee-8.0.15-rc1
> > > > Testing TomEE 8.0.15 RC1
> > > > 
> > > > https://repository.apache.org/content/repositories/orgapachetomee-1214/
> > > > 
> > > > 
> > > > 
> > > > 
> > > > ###
> > > > 
> > > > Binaries & Source:
> > > > 
> > > > https://dist.apache.org/repos/dist/dev/tomee/staging-1214/tomee-8.0.15/
> > > > 
> > > > ###
> > > > 
> > 

Re: [VOTE] TomEE 8.0.15

[Alex The Rocker]

Hello Richard,

Thanks for your answer, but I'm still confused: I previously imported
TOMEE's Keys from
https://downloads.apache.org/tomee/KEYS, so the "you should get
knowledge of my key id
(better complete fingerprint) on another, trustfully way" step is
done, and yet gpg prints the warning.

Am I missing something?

Alex

Le mer. 10 mai 2023 à 11:38, Richard Zowalla  a écrit :
>
> Hi,
>
> the signature could be successfully verified, that means it was really
> signed with my private key. The key claims it belongs to "Richard
> Zowalla".
>
> Yet, your GnuPG setup does not trustthis key. Everybody could create a
> key for "Richard Zowalla"; all you know is somebody that created a key
> with user ID "Richard Zowalla" signed the artifact.
>
> To be sure about whether the signer of the artifact is really who he
> claims to be (Ricahrd zowalla), you should get knowledge of my key id
> (better complete fingerprint) on another, trustfully way (it must not
> necessarily be secure, as only public information, namely the public
> key id, is transferred) - which you have done by downloading the KEYS
> file from the official ASF location.
>
> After that, you would need to sign the key (depending on the level of
> trust for your use-case this might involve additional verification
> steps). All keys you signed (and thus their signatures) will be
> 'verified' in future.
>
> The process is also described in [1]
>
> Hope it helps.
>
> Gruß
> Richard
>
> [1] https://www.apache.org/info/verification.html#Validating
>
> Am Mittwoch, dem 10.05.2023 um 10:46 +0200 schrieb Alex The Rocker:
> > Hello,
> >
> > I have a doubt with this signature test:
> >
> > wget
> > https://dist.apache.org/repos/dist/dev/tomee/staging-1214/tomee-8.0.15/apache-tomee-8.0.15-plus.tar.gz
> > cat > apache-tomee-8.0.15-plus.tar.gz.asc
> > (here I copy paste the contents of
> > https://dist.apache.org/repos/dist/dev/tomee/staging-1214/tomee-8.0.15/apache-tomee-8.0.15-plus.tar.gz.asc
> > ,
> > then I type control-D)
> > $ gpg --verify apache-tomee-8.0.15-plus.tar.gz.asc
> > apache-tomee-8.0.15-plus.tar.gz
> > gpg: Signature made Mon 08 May 2023 02:36:20 PM CEST using RSA key ID
> > E5B8A431
> > gpg: Good signature from "Richard Zowalla (Code Signing Key)
> > "
> > gpg: WARNING: This key is not certified with a trusted signature!
> > gpg:  There is no indication that the signature belongs to
> > the owner.
> > Primary key fingerprint: B83D 15E7 2253 ED11 04EB  4FBB DAB4 72F0
> > E5B8 A431
> >
> > Isn't the warning a bit scary ?
> >
> > Note: I previously imported TOMEE's Keys from
> > https://downloads.apache.org/tomee/KEYS which I save into a file
> > /tmp/KEYS.tst, then used:
> > gpg --import /tmp/KEYS.txt
> >
> > Isn't there a way to make sure gpg won't complain about the
> > trustiness
> > of the signature ?
> >
> > Thanks,
> > Alex
> >
> > Le lun. 8 mai 2023 à 14:50, Richard Zowalla  a écrit
> > :
> > >
> > > Hi all,
> > >
> > > this is a vote for a release of Apache TomEE 8.0.15.
> > >
> > > It is a maintenance release with some bug fixes and dependencies
> > > upgrades (addressing some CVEs)
> > >
> > > ###
> > >
> > > Maven Repo:
> > > https://repository.apache.org/content/repositories/orgapachetomee-1214/
> > >
> > > 
> > > 
> > > tomee-8.0.15-rc1
> > > Testing TomEE 8.0.15 RC1
> > > 
> > > https://repository.apache.org/content/repositories/orgapachetomee-1214/
> > > 
> > > 
> > > 
> > >
> > > ###
> > >
> > > Binaries & Source:
> > >
> > > https://dist.apache.org/repos/dist/dev/tomee/staging-1214/tomee-8.0.15/
> > >
> > > ###
> > >
> > > Tag:
> > >
> > > https://github.com/apache/tomee/releases/tag/tomee-project-8.0.15
> > >
> > >
> > > ###
> > >
> > > Release notes:
> > >
> > > https://issues.apache.org/jira/secure/ReleaseNote.jspa?projectId=12312320&version=12352766
> > >
> > > ###
> > >
> > > Here is an adoc generated version of the changelog as well:
> > >
> > > == Dependency upgrade
> > >
> > > [.compact]
> > >  -
> > > link:https://issues.apache.org/jira/browse/TOMEE-4188[TOMEE-4188]
> > > ActiveMQ 5.16.6
> > >  -
> > > link:https://issues.apache.org/jira/browse/TOMEE-4180[TOMEE-4180]
> > > CXF 3.5.5
> > >  -
> > > link:https://issues.apache.org/jira/browse/TOMEE-4187[TOMEE-4187]
> > > Commons FileUpload 1.5
> > >  -
> > > link:https://issues.apache.org/jira/browse/TOMEE-4210[TOMEE-4210]
> > > EclipseLink 2.7.12
> > >  -
> > > link:https://issues.apache.org/jira/browse/TOMEE-4211[TOMEE-4211]
> > > Hibernate Integration 5.6.15.Final
> > >  -
> > > link:https://issues.apache.org/jira/browse/TOMEE-4206[TOMEE-4206]
> > > Jackson 2.15.0
> > >  -
> > > link:https://issues.apache.org/jira/browse/TOMEE-4207[TOMEE-4207]
> > > Johnzon 1.2.20
> > >  -
> > > link:https://issues.apache.org/jira/browse/TOMEE-4205[TOMEE-4205]
> > > Jose4j 0.9.3
> > >  -
> > > link:https://issues.apache.org/jira/browse/TOMEE-4209[TOMEE-4209]
> > > Mojarra 2.3.19
> > >  -
> > > link:https://issues.apache.

Re: [VOTE] TomEE 8.0.15

[Richard Zowalla]

Hi,

the signature could be successfully verified, that means it was really
signed with my private key. The key claims it belongs to "Richard
Zowalla".

Yet, your GnuPG setup does not trustthis key. Everybody could create a
key for "Richard Zowalla"; all you know is somebody that created a key
with user ID "Richard Zowalla" signed the artifact.

To be sure about whether the signer of the artifact is really who he
claims to be (Ricahrd zowalla), you should get knowledge of my key id
(better complete fingerprint) on another, trustfully way (it must not
necessarily be secure, as only public information, namely the public
key id, is transferred) - which you have done by downloading the KEYS
file from the official ASF location.

After that, you would need to sign the key (depending on the level of
trust for your use-case this might involve additional verification
steps). All keys you signed (and thus their signatures) will be
'verified' in future.

The process is also described in [1]

Hope it helps.

Gruß
Richard

[1] https://www.apache.org/info/verification.html#Validating

Am Mittwoch, dem 10.05.2023 um 10:46 +0200 schrieb Alex The Rocker:
> Hello,
> 
> I have a doubt with this signature test:
> 
> wget
> https://dist.apache.org/repos/dist/dev/tomee/staging-1214/tomee-8.0.15/apache-tomee-8.0.15-plus.tar.gz
> cat > apache-tomee-8.0.15-plus.tar.gz.asc
> (here I copy paste the contents of
> https://dist.apache.org/repos/dist/dev/tomee/staging-1214/tomee-8.0.15/apache-tomee-8.0.15-plus.tar.gz.asc
> ,
> then I type control-D)
> $ gpg --verify apache-tomee-8.0.15-plus.tar.gz.asc
> apache-tomee-8.0.15-plus.tar.gz
> gpg: Signature made Mon 08 May 2023 02:36:20 PM CEST using RSA key ID
> E5B8A431
> gpg: Good signature from "Richard Zowalla (Code Signing Key)
> "
> gpg: WARNING: This key is not certified with a trusted signature!
> gpg:  There is no indication that the signature belongs to
> the owner.
> Primary key fingerprint: B83D 15E7 2253 ED11 04EB  4FBB DAB4 72F0
> E5B8 A431
> 
> Isn't the warning a bit scary ?
> 
> Note: I previously imported TOMEE's Keys from
> https://downloads.apache.org/tomee/KEYS which I save into a file
> /tmp/KEYS.tst, then used:
> gpg --import /tmp/KEYS.txt
> 
> Isn't there a way to make sure gpg won't complain about the
> trustiness
> of the signature ?
> 
> Thanks,
> Alex
> 
> Le lun. 8 mai 2023 à 14:50, Richard Zowalla  a écrit
> :
> > 
> > Hi all,
> > 
> > this is a vote for a release of Apache TomEE 8.0.15.
> > 
> > It is a maintenance release with some bug fixes and dependencies
> > upgrades (addressing some CVEs)
> > 
> > ###
> > 
> > Maven Repo:
> > https://repository.apache.org/content/repositories/orgapachetomee-1214/
> > 
> > 
> > 
> > tomee-8.0.15-rc1
> > Testing TomEE 8.0.15 RC1
> > 
> > https://repository.apache.org/content/repositories/orgapachetomee-1214/
> > 
> > 
> > 
> > 
> > ###
> > 
> > Binaries & Source:
> > 
> > https://dist.apache.org/repos/dist/dev/tomee/staging-1214/tomee-8.0.15/
> > 
> > ###
> > 
> > Tag:
> > 
> > https://github.com/apache/tomee/releases/tag/tomee-project-8.0.15
> > 
> > 
> > ###
> > 
> > Release notes:
> > 
> > https://issues.apache.org/jira/secure/ReleaseNote.jspa?projectId=12312320&version=12352766
> > 
> > ###
> > 
> > Here is an adoc generated version of the changelog as well:
> > 
> > == Dependency upgrade
> > 
> > [.compact]
> >  -
> > link:https://issues.apache.org/jira/browse/TOMEE-4188[TOMEE-4188]
> > ActiveMQ 5.16.6
> >  -
> > link:https://issues.apache.org/jira/browse/TOMEE-4180[TOMEE-4180]
> > CXF 3.5.5
> >  -
> > link:https://issues.apache.org/jira/browse/TOMEE-4187[TOMEE-4187]
> > Commons FileUpload 1.5
> >  -
> > link:https://issues.apache.org/jira/browse/TOMEE-4210[TOMEE-4210]
> > EclipseLink 2.7.12
> >  -
> > link:https://issues.apache.org/jira/browse/TOMEE-4211[TOMEE-4211]
> > Hibernate Integration 5.6.15.Final
> >  -
> > link:https://issues.apache.org/jira/browse/TOMEE-4206[TOMEE-4206]
> > Jackson 2.15.0
> >  -
> > link:https://issues.apache.org/jira/browse/TOMEE-4207[TOMEE-4207]
> > Johnzon 1.2.20
> >  -
> > link:https://issues.apache.org/jira/browse/TOMEE-4205[TOMEE-4205]
> > Jose4j 0.9.3
> >  -
> > link:https://issues.apache.org/jira/browse/TOMEE-4209[TOMEE-4209]
> > Mojarra 2.3.19
> >  -
> > link:https://issues.apache.org/jira/browse/TOMEE-4195[TOMEE-4195]
> > Tomcat 9.0.72 (CVE-2023-28708)
> >  -
> > link:https://issues.apache.org/jira/browse/TOMEE-4191[TOMEE-4191]
> > Tomcat 9.0.73
> >  -
> > link:https://issues.apache.org/jira/browse/TOMEE-4201[TOMEE-4201]
> > Tomcat 9.0.74
> >  -
> > link:https://issues.apache.org/jira/browse/TOMEE-4194[TOMEE-4194]
> > snakeyaml version 2.0 mitigate CVE-2022-1471
> > 
> > == Bug
> > 
> > [.compact]
> >  -
> > link:https://issues.apache.org/jira/browse/TOMEE-4192[TOMEE-4192]
> > ApplicationComposers do not clear GC references on release
> >  -
> > link:https://issues.apache.org/jira/browse/TOMEE-4181[TOMEE-4181]
> > 

Re: [VOTE] TomEE 8.0.15

[Jean-Louis Monteiro]

Hi Alexandre,

I haven't checked the release yet. Maybe his signing key changed.

Best
--
Jean-Louis Monteiro
http://twitter.com/jlouismonteiro
http://www.tomitribe.com


On Wed, May 10, 2023 at 10:47 AM Alex The Rocker 
wrote:

> Hello,
>
> I have a doubt with this signature test:
>
> wget
> https://dist.apache.org/repos/dist/dev/tomee/staging-1214/tomee-8.0.15/apache-tomee-8.0.15-plus.tar.gz
> cat > apache-tomee-8.0.15-plus.tar.gz.asc
> (here I copy paste the contents of
>
> https://dist.apache.org/repos/dist/dev/tomee/staging-1214/tomee-8.0.15/apache-tomee-8.0.15-plus.tar.gz.asc
> ,
> then I type control-D)
> $ gpg --verify apache-tomee-8.0.15-plus.tar.gz.asc
> apache-tomee-8.0.15-plus.tar.gz
> gpg: Signature made Mon 08 May 2023 02:36:20 PM CEST using RSA key ID
> E5B8A431
> gpg: Good signature from "Richard Zowalla (Code Signing Key) <
> r...@apache.org>"
> gpg: WARNING: This key is not certified with a trusted signature!
> gpg:  There is no indication that the signature belongs to the
> owner.
> Primary key fingerprint: B83D 15E7 2253 ED11 04EB  4FBB DAB4 72F0 E5B8 A431
>
> Isn't the warning a bit scary ?
>
> Note: I previously imported TOMEE's Keys from
> https://downloads.apache.org/tomee/KEYS which I save into a file
> /tmp/KEYS.tst, then used:
> gpg --import /tmp/KEYS.txt
>
> Isn't there a way to make sure gpg won't complain about the trustiness
> of the signature ?
>
> Thanks,
> Alex
>
> Le lun. 8 mai 2023 à 14:50, Richard Zowalla  a écrit :
> >
> > Hi all,
> >
> > this is a vote for a release of Apache TomEE 8.0.15.
> >
> > It is a maintenance release with some bug fixes and dependencies
> > upgrades (addressing some CVEs)
> >
> > ###
> >
> > Maven Repo:
> > https://repository.apache.org/content/repositories/orgapachetomee-1214/
> >
> > 
> > 
> > tomee-8.0.15-rc1
> > Testing TomEE 8.0.15 RC1
> > 
> > https://repository.apache.org/content/repositories/orgapachetomee-1214/
> > 
> > 
> > 
> >
> > ###
> >
> > Binaries & Source:
> >
> > https://dist.apache.org/repos/dist/dev/tomee/staging-1214/tomee-8.0.15/
> >
> > ###
> >
> > Tag:
> >
> > https://github.com/apache/tomee/releases/tag/tomee-project-8.0.15
> >
> >
> > ###
> >
> > Release notes:
> >
> >
> https://issues.apache.org/jira/secure/ReleaseNote.jspa?projectId=12312320&version=12352766
> >
> > ###
> >
> > Here is an adoc generated version of the changelog as well:
> >
> > == Dependency upgrade
> >
> > [.compact]
> >  - link:https://issues.apache.org/jira/browse/TOMEE-4188[TOMEE-4188]
> > ActiveMQ 5.16.6
> >  - link:https://issues.apache.org/jira/browse/TOMEE-4180[TOMEE-4180]
> > CXF 3.5.5
> >  - link:https://issues.apache.org/jira/browse/TOMEE-4187[TOMEE-4187]
> > Commons FileUpload 1.5
> >  - link:https://issues.apache.org/jira/browse/TOMEE-4210[TOMEE-4210]
> > EclipseLink 2.7.12
> >  - link:https://issues.apache.org/jira/browse/TOMEE-4211[TOMEE-4211]
> > Hibernate Integration 5.6.15.Final
> >  - link:https://issues.apache.org/jira/browse/TOMEE-4206[TOMEE-4206]
> > Jackson 2.15.0
> >  - link:https://issues.apache.org/jira/browse/TOMEE-4207[TOMEE-4207]
> > Johnzon 1.2.20
> >  - link:https://issues.apache.org/jira/browse/TOMEE-4205[TOMEE-4205]
> > Jose4j 0.9.3
> >  - link:https://issues.apache.org/jira/browse/TOMEE-4209[TOMEE-4209]
> > Mojarra 2.3.19
> >  - link:https://issues.apache.org/jira/browse/TOMEE-4195[TOMEE-4195]
> > Tomcat 9.0.72 (CVE-2023-28708)
> >  - link:https://issues.apache.org/jira/browse/TOMEE-4191[TOMEE-4191]
> > Tomcat 9.0.73
> >  - link:https://issues.apache.org/jira/browse/TOMEE-4201[TOMEE-4201]
> > Tomcat 9.0.74
> >  - link:https://issues.apache.org/jira/browse/TOMEE-4194[TOMEE-4194]
> > snakeyaml version 2.0 mitigate CVE-2022-1471
> >
> > == Bug
> >
> > [.compact]
> >  - link:https://issues.apache.org/jira/browse/TOMEE-4192[TOMEE-4192]
> > ApplicationComposers do not clear GC references on release
> >  - link:https://issues.apache.org/jira/browse/TOMEE-4181[TOMEE-4181]
> > BCProv jar loses its signature during the patch process
> >  - link:https://issues.apache.org/jira/browse/TOMEE-4122[TOMEE-4122]
> > Performance Regression in bean resolution in EAR files
> >  - link:https://issues.apache.org/jira/browse/TOMEE-4189[TOMEE-4189]
> > java.lang.ClassNotFoundException:
> > org.apache.openejb.loader.SystemInstance
> >  - link:https://issues.apache.org/jira/browse/TOMEE-4179[TOMEE-4179]
> > Fix creeping in API JARs which should be in javaee-api
> >
> > == Wish
> >
> > [.compact]
> >  - link:https://issues.apache.org/jira/browse/TOMEE-4190[TOMEE-4190]
> > RunWithApplicationComposer should support inheritance
> >
> > == Fixed Common Vulnerabilities and Exposures (CVEs)
> >
> > [.compact]
> >  - link:https://issues.apache.org/jira/browse/TOMEE-4194[TOMEE-4194]
> > Update snakeyaml version to 2.0 to mitigate CVE-2022-1471
> >  - link:https://issues.apache.org/jira/browse/TOMEE-4195[TOMEE-4195]
> > Upgrade to Apache Tomcat 9.0.72 (CVE-2023-28708)
> >  - link:https

Re: [VOTE] TomEE 8.0.15

[Alex The Rocker]

Hello,

I have a doubt with this signature test:

wget 
https://dist.apache.org/repos/dist/dev/tomee/staging-1214/tomee-8.0.15/apache-tomee-8.0.15-plus.tar.gz
cat > apache-tomee-8.0.15-plus.tar.gz.asc
(here I copy paste the contents of
https://dist.apache.org/repos/dist/dev/tomee/staging-1214/tomee-8.0.15/apache-tomee-8.0.15-plus.tar.gz.asc,
then I type control-D)
$ gpg --verify apache-tomee-8.0.15-plus.tar.gz.asc
apache-tomee-8.0.15-plus.tar.gz
gpg: Signature made Mon 08 May 2023 02:36:20 PM CEST using RSA key ID E5B8A431
gpg: Good signature from "Richard Zowalla (Code Signing Key) "
gpg: WARNING: This key is not certified with a trusted signature!
gpg:  There is no indication that the signature belongs to the owner.
Primary key fingerprint: B83D 15E7 2253 ED11 04EB  4FBB DAB4 72F0 E5B8 A431

Isn't the warning a bit scary ?

Note: I previously imported TOMEE's Keys from
https://downloads.apache.org/tomee/KEYS which I save into a file
/tmp/KEYS.tst, then used:
gpg --import /tmp/KEYS.txt

Isn't there a way to make sure gpg won't complain about the trustiness
of the signature ?

Thanks,
Alex

Le lun. 8 mai 2023 à 14:50, Richard Zowalla  a écrit :
>
> Hi all,
>
> this is a vote for a release of Apache TomEE 8.0.15.
>
> It is a maintenance release with some bug fixes and dependencies
> upgrades (addressing some CVEs)
>
> ###
>
> Maven Repo:
> https://repository.apache.org/content/repositories/orgapachetomee-1214/
>
> 
> 
> tomee-8.0.15-rc1
> Testing TomEE 8.0.15 RC1
> 
> https://repository.apache.org/content/repositories/orgapachetomee-1214/
> 
> 
> 
>
> ###
>
> Binaries & Source:
>
> https://dist.apache.org/repos/dist/dev/tomee/staging-1214/tomee-8.0.15/
>
> ###
>
> Tag:
>
> https://github.com/apache/tomee/releases/tag/tomee-project-8.0.15
>
>
> ###
>
> Release notes:
>
> https://issues.apache.org/jira/secure/ReleaseNote.jspa?projectId=12312320&version=12352766
>
> ###
>
> Here is an adoc generated version of the changelog as well:
>
> == Dependency upgrade
>
> [.compact]
>  - link:https://issues.apache.org/jira/browse/TOMEE-4188[TOMEE-4188]
> ActiveMQ 5.16.6
>  - link:https://issues.apache.org/jira/browse/TOMEE-4180[TOMEE-4180]
> CXF 3.5.5
>  - link:https://issues.apache.org/jira/browse/TOMEE-4187[TOMEE-4187]
> Commons FileUpload 1.5
>  - link:https://issues.apache.org/jira/browse/TOMEE-4210[TOMEE-4210]
> EclipseLink 2.7.12
>  - link:https://issues.apache.org/jira/browse/TOMEE-4211[TOMEE-4211]
> Hibernate Integration 5.6.15.Final
>  - link:https://issues.apache.org/jira/browse/TOMEE-4206[TOMEE-4206]
> Jackson 2.15.0
>  - link:https://issues.apache.org/jira/browse/TOMEE-4207[TOMEE-4207]
> Johnzon 1.2.20
>  - link:https://issues.apache.org/jira/browse/TOMEE-4205[TOMEE-4205]
> Jose4j 0.9.3
>  - link:https://issues.apache.org/jira/browse/TOMEE-4209[TOMEE-4209]
> Mojarra 2.3.19
>  - link:https://issues.apache.org/jira/browse/TOMEE-4195[TOMEE-4195]
> Tomcat 9.0.72 (CVE-2023-28708)
>  - link:https://issues.apache.org/jira/browse/TOMEE-4191[TOMEE-4191]
> Tomcat 9.0.73
>  - link:https://issues.apache.org/jira/browse/TOMEE-4201[TOMEE-4201]
> Tomcat 9.0.74
>  - link:https://issues.apache.org/jira/browse/TOMEE-4194[TOMEE-4194]
> snakeyaml version 2.0 mitigate CVE-2022-1471
>
> == Bug
>
> [.compact]
>  - link:https://issues.apache.org/jira/browse/TOMEE-4192[TOMEE-4192]
> ApplicationComposers do not clear GC references on release
>  - link:https://issues.apache.org/jira/browse/TOMEE-4181[TOMEE-4181]
> BCProv jar loses its signature during the patch process
>  - link:https://issues.apache.org/jira/browse/TOMEE-4122[TOMEE-4122]
> Performance Regression in bean resolution in EAR files
>  - link:https://issues.apache.org/jira/browse/TOMEE-4189[TOMEE-4189]
> java.lang.ClassNotFoundException:
> org.apache.openejb.loader.SystemInstance
>  - link:https://issues.apache.org/jira/browse/TOMEE-4179[TOMEE-4179]
> Fix creeping in API JARs which should be in javaee-api
>
> == Wish
>
> [.compact]
>  - link:https://issues.apache.org/jira/browse/TOMEE-4190[TOMEE-4190]
> RunWithApplicationComposer should support inheritance
>
> == Fixed Common Vulnerabilities and Exposures (CVEs)
>
> [.compact]
>  - link:https://issues.apache.org/jira/browse/TOMEE-4194[TOMEE-4194]
> Update snakeyaml version to 2.0 to mitigate CVE-2022-1471
>  - link:https://issues.apache.org/jira/browse/TOMEE-4195[TOMEE-4195]
> Upgrade to Apache Tomcat 9.0.72 (CVE-2023-28708)
>  - link:https://issues.apache.org/jira/browse/TOMEE-4187[TOMEE-4187]
> Commons FileUpload 1.5
>
>
> ###
>
> Here is the dependency diff from 8.0.14 to 8.0.15 created with our
> release tools:
>
>   artifactId  from  to
> ---  -
>  jackson-annotations 2.14.1   2.15.0
>  jackson-core2.14.1   2.15.0
>  jackson-databind2.14.1   2.15.0
>  jackson-dataformat-yaml 2.14.1   2.15.0
>  saaj-impl   

Re: [VOTE] TomEE 8.0.15

[Daniel Dias Dos Santos]

Hello,

+1

On Tue, May 9, 2023, 14:45 Cesar Hernandez  wrote:

> Reviewed latest CI builds, sanity checks and release notes.
> +1, thank you!
>
> El lun, 8 may 2023 a las 6:50, Richard Zowalla ()
> escribió:
>
> > Hi all,
> >
> > this is a vote for a release of Apache TomEE 8.0.15.
> >
> > It is a maintenance release with some bug fixes and dependencies
> > upgrades (addressing some CVEs)
> >
> > ###
> >
> > Maven Repo:
> > https://repository.apache.org/content/repositories/orgapachetomee-1214/
> >
> > 
> > 
> > tomee-8.0.15-rc1
> > Testing TomEE 8.0.15 RC1
> > 
> > https://repository.apache.org/content/repositories/orgapachetomee-1214/
> > 
> > 
> > 
> >
> > ###
> >
> > Binaries & Source:
> >
> > https://dist.apache.org/repos/dist/dev/tomee/staging-1214/tomee-8.0.15/
> >
> > ###
> >
> > Tag:
> >
> > https://github.com/apache/tomee/releases/tag/tomee-project-8.0.15
> >
> >
> > ###
> >
> > Release notes:
> >
> >
> >
> https://issues.apache.org/jira/secure/ReleaseNote.jspa?projectId=12312320&version=12352766
> >
> > ###
> >
> > Here is an adoc generated version of the changelog as well:
> >
> > == Dependency upgrade
> >
> > [.compact]
> >  - link:https://issues.apache.org/jira/browse/TOMEE-4188[TOMEE-4188]
> > ActiveMQ 5.16.6
> >  - link:https://issues.apache.org/jira/browse/TOMEE-4180[TOMEE-4180]
> > CXF 3.5.5
> >  - link:https://issues.apache.org/jira/browse/TOMEE-4187[TOMEE-4187]
> > Commons FileUpload 1.5
> >  - link:https://issues.apache.org/jira/browse/TOMEE-4210[TOMEE-4210]
> > EclipseLink 2.7.12
> >  - link:https://issues.apache.org/jira/browse/TOMEE-4211[TOMEE-4211]
> > Hibernate Integration 5.6.15.Final
> >  - link:https://issues.apache.org/jira/browse/TOMEE-4206[TOMEE-4206]
> > Jackson 2.15.0
> >  - link:https://issues.apache.org/jira/browse/TOMEE-4207[TOMEE-4207]
> > Johnzon 1.2.20
> >  - link:https://issues.apache.org/jira/browse/TOMEE-4205[TOMEE-4205]
> > Jose4j
> > 
> > 0.9.3
> >  - link:https://issues.apache.org/jira/browse/TOMEE-4209[TOMEE-4209]
> > Mojarra 2.3.19
> >  - link:https://issues.apache.org/jira/browse/TOMEE-4195[TOMEE-4195]
> > Tomcat 9.0.72 (CVE-2023-28708)
> >  - link:https://issues.apache.org/jira/browse/TOMEE-4191[TOMEE-4191]
> > Tomcat 9.0.73
> >  - link:https://issues.apache.org/jira/browse/TOMEE-4201[TOMEE-4201]
> > Tomcat 9.0.74
> >  - link:https://issues.apache.org/jira/browse/TOMEE-4194[TOMEE-4194]
> > snakeyaml version 2.0 mitigate CVE-2022-1471
> >
> > == Bug
> >
> > [.compact]
> >  - link:https://issues.apache.org/jira/browse/TOMEE-4192[TOMEE-4192]
> > ApplicationComposers do not clear GC references on release
> >  - link:https://issues.apache.org/jira/browse/TOMEE-4181[TOMEE-4181]
> > BCProv jar loses its signature during the patch process
> >  - link:https://issues.apache.org/jira/browse/TOMEE-4122[TOMEE-4122]
> > Performance Regression in bean resolution in EAR files
> >  - link:https://issues.apache.org/jira/browse/TOMEE-4189[TOMEE-4189]
> > java.lang.ClassNotFoundException:
> > org.apache.openejb.loader.SystemInstance
> >  - link:https://issues.apache.org/jira/browse/TOMEE-4179[TOMEE-4179]
> > Fix creeping in API JARs which should be in javaee-api
> >
> > == Wish
> >
> > [.compact]
> >  - link:https://issues.apache.org/jira/browse/TOMEE-4190[TOMEE-4190]
> > RunWithApplicationComposer should support inheritance
> >
> > == Fixed Common Vulnerabilities and Exposures (CVEs)
> >
> > [.compact]
> >  - link:https://issues.apache.org/jira/browse/TOMEE-4194[TOMEE-4194]
> > Update snakeyaml version to 2.0 to mitigate CVE-2022-1471
> >  - link:https://issues.apache.org/jira/browse/TOMEE-4195[TOMEE-4195]
> > Upgrade to Apache Tomcat 9.0.72 (CVE-2023-28708)
> >  - link:https://issues.apache.org/jira/browse/TOMEE-4187[TOMEE-4187]
> > Commons FileUpload 1.5
> >
> >
> > ###
> >
> > Here is the dependency diff from 8.0.14 to 8.0.15 created with our
> > release tools:
> >
> >   artifactId  from  to
> > ---  -
> >  jackson-annotations 2.14.1   2.15.0
> >  jackson-core2.14.1   2.15.0
> >  jackson-databind2.14.1   2.15.0
> >  jackson-dataformat-yaml 2.14.1   2.15.0
> >  saaj-impl1.5.1   1.5.3
> >  activemq-broker 5.16.5   5.16.6
> >  activemq-client 5.16.5   5.16.6
> >  activemq-jdbc-store 5.16.5   5.16.6
> >  activemq-kahadb-store   5.16.5   5.16.6
> >  activemq-openwire-legacy5.16.5   5.16.6
> >  activemq-ra 5.16.5   5.16.6
> >  cxf-rt-rs-mp-client 3.4.10   3.5.5
> >  johnzon-core1.2.19   1.2.20
> >  johnzon-jaxrs   1.2.19   1.2.20
> >  johnzon-jsonb   1.2.19   1.2.20
> >  johnzon-jsonp-strict1.2.19   1.2.20
> >  johnzon-mapper 

Re: [VOTE] TomEE 8.0.15

[Cesar Hernandez]

Reviewed latest CI builds, sanity checks and release notes.
+1, thank you!

El lun, 8 may 2023 a las 6:50, Richard Zowalla () escribió:

> Hi all,
>
> this is a vote for a release of Apache TomEE 8.0.15.
>
> It is a maintenance release with some bug fixes and dependencies
> upgrades (addressing some CVEs)
>
> ###
>
> Maven Repo:
> https://repository.apache.org/content/repositories/orgapachetomee-1214/
>
> 
> 
> tomee-8.0.15-rc1
> Testing TomEE 8.0.15 RC1
> 
> https://repository.apache.org/content/repositories/orgapachetomee-1214/
> 
> 
> 
>
> ###
>
> Binaries & Source:
>
> https://dist.apache.org/repos/dist/dev/tomee/staging-1214/tomee-8.0.15/
>
> ###
>
> Tag:
>
> https://github.com/apache/tomee/releases/tag/tomee-project-8.0.15
>
>
> ###
>
> Release notes:
>
>
> https://issues.apache.org/jira/secure/ReleaseNote.jspa?projectId=12312320&version=12352766
>
> ###
>
> Here is an adoc generated version of the changelog as well:
>
> == Dependency upgrade
>
> [.compact]
>  - link:https://issues.apache.org/jira/browse/TOMEE-4188[TOMEE-4188]
> ActiveMQ 5.16.6
>  - link:https://issues.apache.org/jira/browse/TOMEE-4180[TOMEE-4180]
> CXF 3.5.5
>  - link:https://issues.apache.org/jira/browse/TOMEE-4187[TOMEE-4187]
> Commons FileUpload 1.5
>  - link:https://issues.apache.org/jira/browse/TOMEE-4210[TOMEE-4210]
> EclipseLink 2.7.12
>  - link:https://issues.apache.org/jira/browse/TOMEE-4211[TOMEE-4211]
> Hibernate Integration 5.6.15.Final
>  - link:https://issues.apache.org/jira/browse/TOMEE-4206[TOMEE-4206]
> Jackson 2.15.0
>  - link:https://issues.apache.org/jira/browse/TOMEE-4207[TOMEE-4207]
> Johnzon 1.2.20
>  - link:https://issues.apache.org/jira/browse/TOMEE-4205[TOMEE-4205]
> Jose4j
> 
> 0.9.3
>  - link:https://issues.apache.org/jira/browse/TOMEE-4209[TOMEE-4209]
> Mojarra 2.3.19
>  - link:https://issues.apache.org/jira/browse/TOMEE-4195[TOMEE-4195]
> Tomcat 9.0.72 (CVE-2023-28708)
>  - link:https://issues.apache.org/jira/browse/TOMEE-4191[TOMEE-4191]
> Tomcat 9.0.73
>  - link:https://issues.apache.org/jira/browse/TOMEE-4201[TOMEE-4201]
> Tomcat 9.0.74
>  - link:https://issues.apache.org/jira/browse/TOMEE-4194[TOMEE-4194]
> snakeyaml version 2.0 mitigate CVE-2022-1471
>
> == Bug
>
> [.compact]
>  - link:https://issues.apache.org/jira/browse/TOMEE-4192[TOMEE-4192]
> ApplicationComposers do not clear GC references on release
>  - link:https://issues.apache.org/jira/browse/TOMEE-4181[TOMEE-4181]
> BCProv jar loses its signature during the patch process
>  - link:https://issues.apache.org/jira/browse/TOMEE-4122[TOMEE-4122]
> Performance Regression in bean resolution in EAR files
>  - link:https://issues.apache.org/jira/browse/TOMEE-4189[TOMEE-4189]
> java.lang.ClassNotFoundException:
> org.apache.openejb.loader.SystemInstance
>  - link:https://issues.apache.org/jira/browse/TOMEE-4179[TOMEE-4179]
> Fix creeping in API JARs which should be in javaee-api
>
> == Wish
>
> [.compact]
>  - link:https://issues.apache.org/jira/browse/TOMEE-4190[TOMEE-4190]
> RunWithApplicationComposer should support inheritance
>
> == Fixed Common Vulnerabilities and Exposures (CVEs)
>
> [.compact]
>  - link:https://issues.apache.org/jira/browse/TOMEE-4194[TOMEE-4194]
> Update snakeyaml version to 2.0 to mitigate CVE-2022-1471
>  - link:https://issues.apache.org/jira/browse/TOMEE-4195[TOMEE-4195]
> Upgrade to Apache Tomcat 9.0.72 (CVE-2023-28708)
>  - link:https://issues.apache.org/jira/browse/TOMEE-4187[TOMEE-4187]
> Commons FileUpload 1.5
>
>
> ###
>
> Here is the dependency diff from 8.0.14 to 8.0.15 created with our
> release tools:
>
>   artifactId  from  to
> ---  -
>  jackson-annotations 2.14.1   2.15.0
>  jackson-core2.14.1   2.15.0
>  jackson-databind2.14.1   2.15.0
>  jackson-dataformat-yaml 2.14.1   2.15.0
>  saaj-impl1.5.1   1.5.3
>  activemq-broker 5.16.5   5.16.6
>  activemq-client 5.16.5   5.16.6
>  activemq-jdbc-store 5.16.5   5.16.6
>  activemq-kahadb-store   5.16.5   5.16.6
>  activemq-openwire-legacy5.16.5   5.16.6
>  activemq-ra 5.16.5   5.16.6
>  cxf-rt-rs-mp-client 3.4.10   3.5.5
>  johnzon-core1.2.19   1.2.20
>  johnzon-jaxrs   1.2.19   1.2.20
>  johnzon-jsonb   1.2.19   1.2.20
>  johnzon-jsonp-strict1.2.19   1.2.20
>  johnzon-mapper  1.2.19   1.2.20
>  xmlsec   2.2.3   2.3.2
>  wss4j-bindings   2.3.3   2.4.1
>  wss4j-policy 2.3.3   2.4.1
>  wss4j-ws-security-common 2.3.3   2.4.1
>  wss4j-ws-security-dom2.3.3   2.4.1
>  wss4j-ws-security-policy-stax2.3.3   2.4.1
>  wss4j-ws

[VOTE] TomEE 8.0.15

[Richard Zowalla]

Hi all,

this is a vote for a release of Apache TomEE 8.0.15.

It is a maintenance release with some bug fixes and dependencies
upgrades (addressing some CVEs)

###

Maven Repo:
https://repository.apache.org/content/repositories/orgapachetomee-1214/



tomee-8.0.15-rc1
Testing TomEE 8.0.15 RC1

https://repository.apache.org/content/repositories/orgapachetomee-1214/




###

Binaries & Source:

https://dist.apache.org/repos/dist/dev/tomee/staging-1214/tomee-8.0.15/

###

Tag:

https://github.com/apache/tomee/releases/tag/tomee-project-8.0.15


###

Release notes:

https://issues.apache.org/jira/secure/ReleaseNote.jspa?projectId=12312320&version=12352766

###

Here is an adoc generated version of the changelog as well:

== Dependency upgrade

[.compact]
 - link:https://issues.apache.org/jira/browse/TOMEE-4188[TOMEE-4188]
ActiveMQ 5.16.6
 - link:https://issues.apache.org/jira/browse/TOMEE-4180[TOMEE-4180]
CXF 3.5.5
 - link:https://issues.apache.org/jira/browse/TOMEE-4187[TOMEE-4187]
Commons FileUpload 1.5
 - link:https://issues.apache.org/jira/browse/TOMEE-4210[TOMEE-4210]
EclipseLink 2.7.12
 - link:https://issues.apache.org/jira/browse/TOMEE-4211[TOMEE-4211]
Hibernate Integration 5.6.15.Final
 - link:https://issues.apache.org/jira/browse/TOMEE-4206[TOMEE-4206]
Jackson 2.15.0
 - link:https://issues.apache.org/jira/browse/TOMEE-4207[TOMEE-4207]
Johnzon 1.2.20
 - link:https://issues.apache.org/jira/browse/TOMEE-4205[TOMEE-4205]
Jose4j 0.9.3
 - link:https://issues.apache.org/jira/browse/TOMEE-4209[TOMEE-4209]
Mojarra 2.3.19
 - link:https://issues.apache.org/jira/browse/TOMEE-4195[TOMEE-4195]
Tomcat 9.0.72 (CVE-2023-28708)
 - link:https://issues.apache.org/jira/browse/TOMEE-4191[TOMEE-4191]
Tomcat 9.0.73
 - link:https://issues.apache.org/jira/browse/TOMEE-4201[TOMEE-4201]
Tomcat 9.0.74
 - link:https://issues.apache.org/jira/browse/TOMEE-4194[TOMEE-4194]
snakeyaml version 2.0 mitigate CVE-2022-1471

== Bug

[.compact]
 - link:https://issues.apache.org/jira/browse/TOMEE-4192[TOMEE-4192]
ApplicationComposers do not clear GC references on release
 - link:https://issues.apache.org/jira/browse/TOMEE-4181[TOMEE-4181]
BCProv jar loses its signature during the patch process
 - link:https://issues.apache.org/jira/browse/TOMEE-4122[TOMEE-4122]
Performance Regression in bean resolution in EAR files
 - link:https://issues.apache.org/jira/browse/TOMEE-4189[TOMEE-4189]
java.lang.ClassNotFoundException:
org.apache.openejb.loader.SystemInstance
 - link:https://issues.apache.org/jira/browse/TOMEE-4179[TOMEE-4179]
Fix creeping in API JARs which should be in javaee-api

== Wish

[.compact]
 - link:https://issues.apache.org/jira/browse/TOMEE-4190[TOMEE-4190]
RunWithApplicationComposer should support inheritance

== Fixed Common Vulnerabilities and Exposures (CVEs)

[.compact]
 - link:https://issues.apache.org/jira/browse/TOMEE-4194[TOMEE-4194]
Update snakeyaml version to 2.0 to mitigate CVE-2022-1471
 - link:https://issues.apache.org/jira/browse/TOMEE-4195[TOMEE-4195]
Upgrade to Apache Tomcat 9.0.72 (CVE-2023-28708)
 - link:https://issues.apache.org/jira/browse/TOMEE-4187[TOMEE-4187]
Commons FileUpload 1.5


###

Here is the dependency diff from 8.0.14 to 8.0.15 created with our
release tools:

  artifactId  from  to
---  -
 jackson-annotations 2.14.1   2.15.0  
 jackson-core2.14.1   2.15.0  
 jackson-databind2.14.1   2.15.0  
 jackson-dataformat-yaml 2.14.1   2.15.0  
 saaj-impl1.5.1   1.5.3   
 activemq-broker 5.16.5   5.16.6  
 activemq-client 5.16.5   5.16.6  
 activemq-jdbc-store 5.16.5   5.16.6  
 activemq-kahadb-store   5.16.5   5.16.6  
 activemq-openwire-legacy5.16.5   5.16.6  
 activemq-ra 5.16.5   5.16.6  
 cxf-rt-rs-mp-client 3.4.10   3.5.5   
 johnzon-core1.2.19   1.2.20  
 johnzon-jaxrs   1.2.19   1.2.20  
 johnzon-jsonb   1.2.19   1.2.20  
 johnzon-jsonp-strict1.2.19   1.2.20  
 johnzon-mapper  1.2.19   1.2.20  
 xmlsec   2.2.3   2.3.2   
 wss4j-bindings   2.3.3   2.4.1   
 wss4j-policy 2.3.3   2.4.1   
 wss4j-ws-security-common 2.3.3   2.4.1   
 wss4j-ws-security-dom2.3.3   2.4.1   
 wss4j-ws-security-policy-stax2.3.3   2.4.1   
 wss4j-ws-security-stax   2.3.3   2.4.1   
 jose4j   0.6.0   0.9.3   
 eclipselink 2.7.11   2.7.12  
 jakarta.faces   2.3.18   2.3.19