Re: 8.0.14 next week? [Was: Having 8.0.14 before christmas? Opinions?]

[Richard Zowalla]

Yes. I just updated from 9.0.70 to 9.0.71.

I am currently plan to start a vote on tuesday next week (if nothing
else occupies me on that day)

Gruß
Richard

Am Freitag, dem 13.01.2023 um 15:03 +0100 schrieb Alex The Rocker:
> Hello Richard,
> 
> Can upcoming TomEE 8.0.14 integrate Tomcat 9.0.71, or at least Tomcat
> 9.0.69 so as to fix CVE-2022-45143 ?
> 
> This later CVE is rated High
> (https://nvd.nist.gov/vuln/detail/CVE-2022-45143) so given the high
> attention on CVEs, it would be too bad to miss this one.
> 
> Thanks,
> Alex
> 
> Le mer. 11 janv. 2023 à 19:17, Alex The Rocker 
> a écrit :
> > Thanks Richard for this clarification (hope it's available in TomE
> > Security page to avoid people asking the same question)
> > 
> > => When can TomEE 8.0.14 vote start ?
> > 
> > Alex
> > 
> > Le mer. 11 janv. 2023 à 15:11, Richard Zowalla  a
> > écrit :
> > > Hi Alex,
> > > 
> > > thanks for the reply.
> > > 
> > > There is an issue regarding CVE-2022-1471 (snakeyaml) [1].
> > > Snakeyaml is
> > > a transient dependency of jackson-dataformat-yaml (which is used
> > > in
> > > OpenAPI). According to the Jackson people [2], they are not
> > > affected
> > > [2].
> > > 
> > > Therefore, I don't think, that we are impacted.
> > > 
> > > Gruß
> > > Richard
> > > 
> > > 
> > > [1] 
> > > https://issues.apache.org/jira/projects/TOMEE/issues/TOMEE-4169
> > > [2] 
> > > https://github.com/FasterXML/jackson-dataformats-text/issues/361
> > > 
> > > 
> > > Am Mittwoch, dem 11.01.2023 um 14:32 +0100 schrieb Alex The
> > > Rocker:
> > > > Hello Richard,
> > > > 
> > > > I give a big +1 for having a 8.0.14 release ASAP.
> > > > 
> > > > I have nothing to ask in into beyond the (many) CVE fixes done
> > > > so
> > > > far,
> > > > except maybe if it could be checked if TomEE+ usage of
> > > > snakeyaml
> > > > (which is part of TomEE+ libraries) systematically relies on
> > > > SnakeYaml's SafeConstructor, so as to avoid recent CVEs on
> > > > SnakeYaml...
> > > > 
> > > > Thanks,
> > > > Alex
> > > > 
> > > > Le mer. 11 janv. 2023 à 09:17, Richard Zowalla  > > > > a
> > > > écrit :
> > > > > Hi all,
> > > > > 
> > > > > I would like to bring up 8.0.14 for a VOTE next week.
> > > > > 
> > > > > Is there anything (dep updates, etc.) we need to include
> > > > > before
> > > > > proceding with the preparations?
> > > > > 
> > > > > Current changes:
> > > > > https://issues.apache.org/jira/projects/TOMEE/versions/12352390
> > > > > 
> > > > > CXF 3.4.10 will be the last release of the 3.4.x series, so
> > > > > we
> > > > > likely
> > > > > need to upgrade to 3.5.x but I don't think, that we should
> > > > > include
> > > > > that
> > > > > for 8.0.14 yet.
> > > > > 
> > > > > Nightlies can be found here:
> > > > > https://repository.apache.org/content/groups/snapshots/org/apache/tomee/apache-tomee/8.0.14-SNAPSHOT/
> > > > > 
> > > > > Gruß
> > > > > Richard
> > > > > 
> > > > > 
> > > > > 
> > > > > Am Donnerstag, dem 22.12.2022 um 15:18 +0100 schrieb Thomas
> > > > > Andraschko:
> > > > > > also created 2 issues for further dependency upgrades:
> > > > > > https://issues.apache.org/jira/browse/TOMEE-4130
> > > > > > https://issues.apache.org/jira/browse/TOMEE-4129
> > > > > > 
> > > > > > is there a reason we dont have the github dependabot on
> > > > > > master
> > > > > > and
> > > > > > 8.0x?
> > > > > > 
> > > > > > Am Do., 22. Dez. 2022 um 15:07 Uhr schrieb Thomas
> > > > > > Andraschko <
> > > > > > andraschko.tho...@gmail.com>:
> > > > > > 
> > > > > > > +1 for this as it will fix the new CXF CVE
> > > > > > > 
> > > > > > > Am Mi., 21. Dez. 2022 um 11:03 Uhr schrieb Richard
> > > > > > > Zowalla <
> > > > > > > r...@apache.org>:
> > > > > > > 
> > > > > > > > To follow up on that:
> > > > > > > > 
> > > > > > > > I had a quick conversation with Jon about that topic.
> > > > > > > > We need to fix TOMEE-4014 (regarding the keep.version
> > > > > > > > property,
> > > > > > > > see
> > > > > > > > [1]) before we can bring up a release vote.
> > > > > > > > 
> > > > > > > > However, effort / focus is currently on getting 9.0
> > > > > > > > Final out
> > > > > > > > of
> > > > > > > > the
> > > > > > > > door and fixing / work on the remaining 2 TCK failures.
> > > > > > > > If we
> > > > > > > > have it
> > > > > > > > up for vote, we can (most certainly) bring up a 8.0.14
> > > > > > > > for
> > > > > > > > vote.
> > > > > > > > 
> > > > > > > > Gruß
> > > > > > > > Richard
> > > > > > > > 
> > > > > > > > [1] https://github.com/apache/tomee/pull/993
> > > > > > > > 
> > > > > > > > Am Dienstag, dem 06.12.2022 um 16:35 + schrieb
> > > > > > > > Wiesner,
> > > > > > > > Martin:
> > > > > > > > > My vote:
> > > > > > > > > +1
> > > > > > > > > 
> > > > > > > > > --
> > > > > > > > > Best
> > > > > > > > > Martin
> > > > > > > > > 
> > > > > > > > > > Am 06.12.2022 um 16:25 schrieb Jean-Louis Monteiro
> > > > > > > > > > <
> > > > > > > > > > jlmonte...@tomitribe.com>:
> > > > > > > > > > 
> > > > > > > > > > I'm 

Re: 8.0.14 next week? [Was: Having 8.0.14 before christmas? Opinions?]

[Alex The Rocker]

Hello Richard,

Can upcoming TomEE 8.0.14 integrate Tomcat 9.0.71, or at least Tomcat
9.0.69 so as to fix CVE-2022-45143 ?

This later CVE is rated High
(https://nvd.nist.gov/vuln/detail/CVE-2022-45143) so given the high
attention on CVEs, it would be too bad to miss this one.

Thanks,
Alex

Le mer. 11 janv. 2023 à 19:17, Alex The Rocker  a écrit :
>
> Thanks Richard for this clarification (hope it's available in TomE
> Security page to avoid people asking the same question)
>
> => When can TomEE 8.0.14 vote start ?
>
> Alex
>
> Le mer. 11 janv. 2023 à 15:11, Richard Zowalla  a écrit :
> >
> > Hi Alex,
> >
> > thanks for the reply.
> >
> > There is an issue regarding CVE-2022-1471 (snakeyaml) [1]. Snakeyaml is
> > a transient dependency of jackson-dataformat-yaml (which is used in
> > OpenAPI). According to the Jackson people [2], they are not affected
> > [2].
> >
> > Therefore, I don't think, that we are impacted.
> >
> > Gruß
> > Richard
> >
> >
> > [1] https://issues.apache.org/jira/projects/TOMEE/issues/TOMEE-4169
> > [2] https://github.com/FasterXML/jackson-dataformats-text/issues/361
> >
> >
> > Am Mittwoch, dem 11.01.2023 um 14:32 +0100 schrieb Alex The Rocker:
> > > Hello Richard,
> > >
> > > I give a big +1 for having a 8.0.14 release ASAP.
> > >
> > > I have nothing to ask in into beyond the (many) CVE fixes done so
> > > far,
> > > except maybe if it could be checked if TomEE+ usage of snakeyaml
> > > (which is part of TomEE+ libraries) systematically relies on
> > > SnakeYaml's SafeConstructor, so as to avoid recent CVEs on
> > > SnakeYaml...
> > >
> > > Thanks,
> > > Alex
> > >
> > > Le mer. 11 janv. 2023 à 09:17, Richard Zowalla  a
> > > écrit :
> > > > Hi all,
> > > >
> > > > I would like to bring up 8.0.14 for a VOTE next week.
> > > >
> > > > Is there anything (dep updates, etc.) we need to include before
> > > > proceding with the preparations?
> > > >
> > > > Current changes:
> > > > https://issues.apache.org/jira/projects/TOMEE/versions/12352390
> > > >
> > > > CXF 3.4.10 will be the last release of the 3.4.x series, so we
> > > > likely
> > > > need to upgrade to 3.5.x but I don't think, that we should include
> > > > that
> > > > for 8.0.14 yet.
> > > >
> > > > Nightlies can be found here:
> > > > https://repository.apache.org/content/groups/snapshots/org/apache/tomee/apache-tomee/8.0.14-SNAPSHOT/
> > > >
> > > > Gruß
> > > > Richard
> > > >
> > > >
> > > >
> > > > Am Donnerstag, dem 22.12.2022 um 15:18 +0100 schrieb Thomas
> > > > Andraschko:
> > > > > also created 2 issues for further dependency upgrades:
> > > > > https://issues.apache.org/jira/browse/TOMEE-4130
> > > > > https://issues.apache.org/jira/browse/TOMEE-4129
> > > > >
> > > > > is there a reason we dont have the github dependabot on master
> > > > > and
> > > > > 8.0x?
> > > > >
> > > > > Am Do., 22. Dez. 2022 um 15:07 Uhr schrieb Thomas Andraschko <
> > > > > andraschko.tho...@gmail.com>:
> > > > >
> > > > > > +1 for this as it will fix the new CXF CVE
> > > > > >
> > > > > > Am Mi., 21. Dez. 2022 um 11:03 Uhr schrieb Richard Zowalla <
> > > > > > r...@apache.org>:
> > > > > >
> > > > > > > To follow up on that:
> > > > > > >
> > > > > > > I had a quick conversation with Jon about that topic.
> > > > > > > We need to fix TOMEE-4014 (regarding the keep.version
> > > > > > > property,
> > > > > > > see
> > > > > > > [1]) before we can bring up a release vote.
> > > > > > >
> > > > > > > However, effort / focus is currently on getting 9.0 Final out
> > > > > > > of
> > > > > > > the
> > > > > > > door and fixing / work on the remaining 2 TCK failures. If we
> > > > > > > have it
> > > > > > > up for vote, we can (most certainly) bring up a 8.0.14 for
> > > > > > > vote.
> > > > > > >
> > > > > > > Gruß
> > > > > > > Richard
> > > > > > >
> > > > > > > [1] https://github.com/apache/tomee/pull/993
> > > > > > >
> > > > > > > Am Dienstag, dem 06.12.2022 um 16:35 + schrieb Wiesner,
> > > > > > > Martin:
> > > > > > > > My vote:
> > > > > > > > +1
> > > > > > > >
> > > > > > > > --
> > > > > > > > Best
> > > > > > > > Martin
> > > > > > > >
> > > > > > > > > Am 06.12.2022 um 16:25 schrieb Jean-Louis Monteiro <
> > > > > > > > > jlmonte...@tomitribe.com>:
> > > > > > > > >
> > > > > > > > > I'm not -1
> > > > > > > > >
> > > > > > > > > But I'd definitely favor working on getting 9.0.0 final
> > > > > > > > > so we
> > > > > > > > > can
> > > > > > > > > switch to
> > > > > > > > > Jakarta EE 10 and MicroProfile 6.0
> > > > > > > > >
> > > > > > > > > My vote: 0
> > > > > > > > >
> > > > > > > > > Le mar. 6 déc. 2022, 16:11, Swell <
> > > > > > > > > souheil.sul...@gmail.com>
> > > > > > > > > a
> > > > > > > > > écrit :
> > > > > > > > >
> > > > > > > > > > +1, we did not yet ship the fixes for the CVE, good to
> > > > > > > > > > have
> > > > > > > > > > them
> > > > > > > > > > shipped
> > > > > > > > > >
> > > > > > > > > >
> > > > > > > > > > On Tue, 6 Dec 2022 at 15:47, Richard Zowalla <
> > > > > > > > > > 

Re: 8.0.14 next week? [Was: Having 8.0.14 before christmas? Opinions?]

[Alex The Rocker]

Thanks Richard for this clarification (hope it's available in TomE
Security page to avoid people asking the same question)

=> When can TomEE 8.0.14 vote start ?

Alex

Le mer. 11 janv. 2023 à 15:11, Richard Zowalla  a écrit :
>
> Hi Alex,
>
> thanks for the reply.
>
> There is an issue regarding CVE-2022-1471 (snakeyaml) [1]. Snakeyaml is
> a transient dependency of jackson-dataformat-yaml (which is used in
> OpenAPI). According to the Jackson people [2], they are not affected
> [2].
>
> Therefore, I don't think, that we are impacted.
>
> Gruß
> Richard
>
>
> [1] https://issues.apache.org/jira/projects/TOMEE/issues/TOMEE-4169
> [2] https://github.com/FasterXML/jackson-dataformats-text/issues/361
>
>
> Am Mittwoch, dem 11.01.2023 um 14:32 +0100 schrieb Alex The Rocker:
> > Hello Richard,
> >
> > I give a big +1 for having a 8.0.14 release ASAP.
> >
> > I have nothing to ask in into beyond the (many) CVE fixes done so
> > far,
> > except maybe if it could be checked if TomEE+ usage of snakeyaml
> > (which is part of TomEE+ libraries) systematically relies on
> > SnakeYaml's SafeConstructor, so as to avoid recent CVEs on
> > SnakeYaml...
> >
> > Thanks,
> > Alex
> >
> > Le mer. 11 janv. 2023 à 09:17, Richard Zowalla  a
> > écrit :
> > > Hi all,
> > >
> > > I would like to bring up 8.0.14 for a VOTE next week.
> > >
> > > Is there anything (dep updates, etc.) we need to include before
> > > proceding with the preparations?
> > >
> > > Current changes:
> > > https://issues.apache.org/jira/projects/TOMEE/versions/12352390
> > >
> > > CXF 3.4.10 will be the last release of the 3.4.x series, so we
> > > likely
> > > need to upgrade to 3.5.x but I don't think, that we should include
> > > that
> > > for 8.0.14 yet.
> > >
> > > Nightlies can be found here:
> > > https://repository.apache.org/content/groups/snapshots/org/apache/tomee/apache-tomee/8.0.14-SNAPSHOT/
> > >
> > > Gruß
> > > Richard
> > >
> > >
> > >
> > > Am Donnerstag, dem 22.12.2022 um 15:18 +0100 schrieb Thomas
> > > Andraschko:
> > > > also created 2 issues for further dependency upgrades:
> > > > https://issues.apache.org/jira/browse/TOMEE-4130
> > > > https://issues.apache.org/jira/browse/TOMEE-4129
> > > >
> > > > is there a reason we dont have the github dependabot on master
> > > > and
> > > > 8.0x?
> > > >
> > > > Am Do., 22. Dez. 2022 um 15:07 Uhr schrieb Thomas Andraschko <
> > > > andraschko.tho...@gmail.com>:
> > > >
> > > > > +1 for this as it will fix the new CXF CVE
> > > > >
> > > > > Am Mi., 21. Dez. 2022 um 11:03 Uhr schrieb Richard Zowalla <
> > > > > r...@apache.org>:
> > > > >
> > > > > > To follow up on that:
> > > > > >
> > > > > > I had a quick conversation with Jon about that topic.
> > > > > > We need to fix TOMEE-4014 (regarding the keep.version
> > > > > > property,
> > > > > > see
> > > > > > [1]) before we can bring up a release vote.
> > > > > >
> > > > > > However, effort / focus is currently on getting 9.0 Final out
> > > > > > of
> > > > > > the
> > > > > > door and fixing / work on the remaining 2 TCK failures. If we
> > > > > > have it
> > > > > > up for vote, we can (most certainly) bring up a 8.0.14 for
> > > > > > vote.
> > > > > >
> > > > > > Gruß
> > > > > > Richard
> > > > > >
> > > > > > [1] https://github.com/apache/tomee/pull/993
> > > > > >
> > > > > > Am Dienstag, dem 06.12.2022 um 16:35 + schrieb Wiesner,
> > > > > > Martin:
> > > > > > > My vote:
> > > > > > > +1
> > > > > > >
> > > > > > > --
> > > > > > > Best
> > > > > > > Martin
> > > > > > >
> > > > > > > > Am 06.12.2022 um 16:25 schrieb Jean-Louis Monteiro <
> > > > > > > > jlmonte...@tomitribe.com>:
> > > > > > > >
> > > > > > > > I'm not -1
> > > > > > > >
> > > > > > > > But I'd definitely favor working on getting 9.0.0 final
> > > > > > > > so we
> > > > > > > > can
> > > > > > > > switch to
> > > > > > > > Jakarta EE 10 and MicroProfile 6.0
> > > > > > > >
> > > > > > > > My vote: 0
> > > > > > > >
> > > > > > > > Le mar. 6 déc. 2022, 16:11, Swell <
> > > > > > > > souheil.sul...@gmail.com>
> > > > > > > > a
> > > > > > > > écrit :
> > > > > > > >
> > > > > > > > > +1, we did not yet ship the fixes for the CVE, good to
> > > > > > > > > have
> > > > > > > > > them
> > > > > > > > > shipped
> > > > > > > > >
> > > > > > > > >
> > > > > > > > > On Tue, 6 Dec 2022 at 15:47, Richard Zowalla <
> > > > > > > > > r...@apache.org>
> > > > > > > > > wrote:
> > > > > > > > >
> > > > > > > > > > Hi all,
> > > > > > > > > >
> > > > > > > > > > We have some dependency updates (tomcat, cxf, hsqldb)
> > > > > > > > > > and
> > > > > > > > > > some
> > > > > > > > > > CVE
> > > > > > > > > > related fixes (woodstox, shaded bcel, ...).
> > > > > > > > > >
> > > > > > > > > > I was thinking about having 8.0.14 before we all get
> > > > > > > > > > too
> > > > > > > > > > stressed with
> > > > > > > > > > christmas, etc. and no one has time to review / test
> > > > > > > > > > a
> > > > > > > > > > 8.0.14
> > > > > > > > > > RC.
> > > > > > > > > >
> > > > 

Re: 8.0.14 next week? [Was: Having 8.0.14 before christmas? Opinions?]

[Richard Zowalla]

Hi Alex,

thanks for the reply.

There is an issue regarding CVE-2022-1471 (snakeyaml) [1]. Snakeyaml is
a transient dependency of jackson-dataformat-yaml (which is used in
OpenAPI). According to the Jackson people [2], they are not affected
[2]. 

Therefore, I don't think, that we are impacted.

Gruß
Richard


[1] https://issues.apache.org/jira/projects/TOMEE/issues/TOMEE-4169
[2] https://github.com/FasterXML/jackson-dataformats-text/issues/361


Am Mittwoch, dem 11.01.2023 um 14:32 +0100 schrieb Alex The Rocker:
> Hello Richard,
> 
> I give a big +1 for having a 8.0.14 release ASAP.
> 
> I have nothing to ask in into beyond the (many) CVE fixes done so
> far,
> except maybe if it could be checked if TomEE+ usage of snakeyaml
> (which is part of TomEE+ libraries) systematically relies on
> SnakeYaml's SafeConstructor, so as to avoid recent CVEs on
> SnakeYaml...
> 
> Thanks,
> Alex
> 
> Le mer. 11 janv. 2023 à 09:17, Richard Zowalla  a
> écrit :
> > Hi all,
> > 
> > I would like to bring up 8.0.14 for a VOTE next week.
> > 
> > Is there anything (dep updates, etc.) we need to include before
> > proceding with the preparations?
> > 
> > Current changes:
> > https://issues.apache.org/jira/projects/TOMEE/versions/12352390
> > 
> > CXF 3.4.10 will be the last release of the 3.4.x series, so we
> > likely
> > need to upgrade to 3.5.x but I don't think, that we should include
> > that
> > for 8.0.14 yet.
> > 
> > Nightlies can be found here:
> > https://repository.apache.org/content/groups/snapshots/org/apache/tomee/apache-tomee/8.0.14-SNAPSHOT/
> > 
> > Gruß
> > Richard
> > 
> > 
> > 
> > Am Donnerstag, dem 22.12.2022 um 15:18 +0100 schrieb Thomas
> > Andraschko:
> > > also created 2 issues for further dependency upgrades:
> > > https://issues.apache.org/jira/browse/TOMEE-4130
> > > https://issues.apache.org/jira/browse/TOMEE-4129
> > > 
> > > is there a reason we dont have the github dependabot on master
> > > and
> > > 8.0x?
> > > 
> > > Am Do., 22. Dez. 2022 um 15:07 Uhr schrieb Thomas Andraschko <
> > > andraschko.tho...@gmail.com>:
> > > 
> > > > +1 for this as it will fix the new CXF CVE
> > > > 
> > > > Am Mi., 21. Dez. 2022 um 11:03 Uhr schrieb Richard Zowalla <
> > > > r...@apache.org>:
> > > > 
> > > > > To follow up on that:
> > > > > 
> > > > > I had a quick conversation with Jon about that topic.
> > > > > We need to fix TOMEE-4014 (regarding the keep.version
> > > > > property,
> > > > > see
> > > > > [1]) before we can bring up a release vote.
> > > > > 
> > > > > However, effort / focus is currently on getting 9.0 Final out
> > > > > of
> > > > > the
> > > > > door and fixing / work on the remaining 2 TCK failures. If we
> > > > > have it
> > > > > up for vote, we can (most certainly) bring up a 8.0.14 for
> > > > > vote.
> > > > > 
> > > > > Gruß
> > > > > Richard
> > > > > 
> > > > > [1] https://github.com/apache/tomee/pull/993
> > > > > 
> > > > > Am Dienstag, dem 06.12.2022 um 16:35 + schrieb Wiesner,
> > > > > Martin:
> > > > > > My vote:
> > > > > > +1
> > > > > > 
> > > > > > --
> > > > > > Best
> > > > > > Martin
> > > > > > 
> > > > > > > Am 06.12.2022 um 16:25 schrieb Jean-Louis Monteiro <
> > > > > > > jlmonte...@tomitribe.com>:
> > > > > > > 
> > > > > > > I'm not -1
> > > > > > > 
> > > > > > > But I'd definitely favor working on getting 9.0.0 final
> > > > > > > so we
> > > > > > > can
> > > > > > > switch to
> > > > > > > Jakarta EE 10 and MicroProfile 6.0
> > > > > > > 
> > > > > > > My vote: 0
> > > > > > > 
> > > > > > > Le mar. 6 déc. 2022, 16:11, Swell <
> > > > > > > souheil.sul...@gmail.com>
> > > > > > > a
> > > > > > > écrit :
> > > > > > > 
> > > > > > > > +1, we did not yet ship the fixes for the CVE, good to
> > > > > > > > have
> > > > > > > > them
> > > > > > > > shipped
> > > > > > > > 
> > > > > > > > 
> > > > > > > > On Tue, 6 Dec 2022 at 15:47, Richard Zowalla <
> > > > > > > > r...@apache.org>
> > > > > > > > wrote:
> > > > > > > > 
> > > > > > > > > Hi all,
> > > > > > > > > 
> > > > > > > > > We have some dependency updates (tomcat, cxf, hsqldb)
> > > > > > > > > and
> > > > > > > > > some
> > > > > > > > > CVE
> > > > > > > > > related fixes (woodstox, shaded bcel, ...).
> > > > > > > > > 
> > > > > > > > > I was thinking about having 8.0.14 before we all get
> > > > > > > > > too
> > > > > > > > > stressed with
> > > > > > > > > christmas, etc. and no one has time to review / test
> > > > > > > > > a
> > > > > > > > > 8.0.14
> > > > > > > > > RC.
> > > > > > > > > 
> > > > > > > > > So my questions are:
> > > > > > > > > 
> > > > > > > > > - What is the community's opionion regarding a 8.0.14
> > > > > > > > > before
> > > > > > > > > christmas?
> > > > > > > > > - Are we missing any important version upgrades? Any
> > > > > > > > > show
> > > > > > > > > stoppers?
> > > > > > > > > 
> > > > > > > > > Here are the current changes in Jira
> > > > > > > > > 
> > > > > > > > > https://issues.apache.org/jira/projects/TOMEE/versions/12352390
> > > > > > > > 

Re: 8.0.14 next week? [Was: Having 8.0.14 before christmas? Opinions?]

[Richard Zowalla]

Am Mittwoch, dem 11.01.2023 um 14:32 +0100 schrieb Alex The Rocker:
> Hello Richard,
> 
> I give a big +1 for having a 8.0.14 release ASAP.
> 
> I have nothing to ask in into beyond the (many) CVE fixes done so
> far,
> except maybe if it could be checked if TomEE+ usage of snakeyaml
> (which is part of TomEE+ libraries) systematically relies on
> SnakeYaml's SafeConstructor, so as to avoid recent CVEs on
> SnakeYaml...
> 
> Thanks,
> Alex
> 
> Le mer. 11 janv. 2023 à 09:17, Richard Zowalla  a
> écrit :
> > Hi all,
> > 
> > I would like to bring up 8.0.14 for a VOTE next week.
> > 
> > Is there anything (dep updates, etc.) we need to include before
> > proceding with the preparations?
> > 
> > Current changes:
> > https://issues.apache.org/jira/projects/TOMEE/versions/12352390
> > 
> > CXF 3.4.10 will be the last release of the 3.4.x series, so we
> > likely
> > need to upgrade to 3.5.x but I don't think, that we should include
> > that
> > for 8.0.14 yet.
> > 
> > Nightlies can be found here:
> > https://repository.apache.org/content/groups/snapshots/org/apache/tomee/apache-tomee/8.0.14-SNAPSHOT/
> > 
> > Gruß
> > Richard
> > 
> > 
> > 
> > Am Donnerstag, dem 22.12.2022 um 15:18 +0100 schrieb Thomas
> > Andraschko:
> > > also created 2 issues for further dependency upgrades:
> > > https://issues.apache.org/jira/browse/TOMEE-4130
> > > https://issues.apache.org/jira/browse/TOMEE-4129
> > > 
> > > is there a reason we dont have the github dependabot on master
> > > and
> > > 8.0x?
> > > 
> > > Am Do., 22. Dez. 2022 um 15:07 Uhr schrieb Thomas Andraschko <
> > > andraschko.tho...@gmail.com>:
> > > 
> > > > +1 for this as it will fix the new CXF CVE
> > > > 
> > > > Am Mi., 21. Dez. 2022 um 11:03 Uhr schrieb Richard Zowalla <
> > > > r...@apache.org>:
> > > > 
> > > > > To follow up on that:
> > > > > 
> > > > > I had a quick conversation with Jon about that topic.
> > > > > We need to fix TOMEE-4014 (regarding the keep.version
> > > > > property,
> > > > > see
> > > > > [1]) before we can bring up a release vote.
> > > > > 
> > > > > However, effort / focus is currently on getting 9.0 Final out
> > > > > of
> > > > > the
> > > > > door and fixing / work on the remaining 2 TCK failures. If we
> > > > > have it
> > > > > up for vote, we can (most certainly) bring up a 8.0.14 for
> > > > > vote.
> > > > > 
> > > > > Gruß
> > > > > Richard
> > > > > 
> > > > > [1] https://github.com/apache/tomee/pull/993
> > > > > 
> > > > > Am Dienstag, dem 06.12.2022 um 16:35 + schrieb Wiesner,
> > > > > Martin:
> > > > > > My vote:
> > > > > > +1
> > > > > > 
> > > > > > --
> > > > > > Best
> > > > > > Martin
> > > > > > 
> > > > > > > Am 06.12.2022 um 16:25 schrieb Jean-Louis Monteiro <
> > > > > > > jlmonte...@tomitribe.com>:
> > > > > > > 
> > > > > > > I'm not -1
> > > > > > > 
> > > > > > > But I'd definitely favor working on getting 9.0.0 final
> > > > > > > so we
> > > > > > > can
> > > > > > > switch to
> > > > > > > Jakarta EE 10 and MicroProfile 6.0
> > > > > > > 
> > > > > > > My vote: 0
> > > > > > > 
> > > > > > > Le mar. 6 déc. 2022, 16:11, Swell <
> > > > > > > souheil.sul...@gmail.com>
> > > > > > > a
> > > > > > > écrit :
> > > > > > > 
> > > > > > > > +1, we did not yet ship the fixes for the CVE, good to
> > > > > > > > have
> > > > > > > > them
> > > > > > > > shipped
> > > > > > > > 
> > > > > > > > 
> > > > > > > > On Tue, 6 Dec 2022 at 15:47, Richard Zowalla <
> > > > > > > > r...@apache.org>
> > > > > > > > wrote:
> > > > > > > > 
> > > > > > > > > Hi all,
> > > > > > > > > 
> > > > > > > > > We have some dependency updates (tomcat, cxf, hsqldb)
> > > > > > > > > and
> > > > > > > > > some
> > > > > > > > > CVE
> > > > > > > > > related fixes (woodstox, shaded bcel, ...).
> > > > > > > > > 
> > > > > > > > > I was thinking about having 8.0.14 before we all get
> > > > > > > > > too
> > > > > > > > > stressed with
> > > > > > > > > christmas, etc. and no one has time to review / test
> > > > > > > > > a
> > > > > > > > > 8.0.14
> > > > > > > > > RC.
> > > > > > > > > 
> > > > > > > > > So my questions are:
> > > > > > > > > 
> > > > > > > > > - What is the community's opionion regarding a 8.0.14
> > > > > > > > > before
> > > > > > > > > christmas?
> > > > > > > > > - Are we missing any important version upgrades? Any
> > > > > > > > > show
> > > > > > > > > stoppers?
> > > > > > > > > 
> > > > > > > > > Here are the current changes in Jira
> > > > > > > > > 
> > > > > > > > > https://issues.apache.org/jira/projects/TOMEE/versions/12352390
> > > > > > > > > 
> > > > > > > > > and here is a list in plain text without the need to
> > > > > > > > > login:
> > > > > > > > > 
> > > > > > > > > == Dependency upgrade
> > > > > > > > > 
> > > > > > > > > [.compact]
> > > > > > > > > - link:
> > > > > > > > > https://issues.apache.org/jira/browse/TOMEE-4100[TOMEE-4100]  
> > > > > > > > > X
> > > > > > > > > Bean 4.22
> > > > > > > > > - link:
> > > > > > > > > 

Re: 8.0.14 next week? [Was: Having 8.0.14 before christmas? Opinions?]

[Alex The Rocker]

Hello Richard,

I give a big +1 for having a 8.0.14 release ASAP.

I have nothing to ask in into beyond the (many) CVE fixes done so far,
except maybe if it could be checked if TomEE+ usage of snakeyaml
(which is part of TomEE+ libraries) systematically relies on
SnakeYaml's SafeConstructor, so as to avoid recent CVEs on
SnakeYaml...

Thanks,
Alex

Le mer. 11 janv. 2023 à 09:17, Richard Zowalla  a écrit :
>
> Hi all,
>
> I would like to bring up 8.0.14 for a VOTE next week.
>
> Is there anything (dep updates, etc.) we need to include before
> proceding with the preparations?
>
> Current changes:
> https://issues.apache.org/jira/projects/TOMEE/versions/12352390
>
> CXF 3.4.10 will be the last release of the 3.4.x series, so we likely
> need to upgrade to 3.5.x but I don't think, that we should include that
> for 8.0.14 yet.
>
> Nightlies can be found here:
> https://repository.apache.org/content/groups/snapshots/org/apache/tomee/apache-tomee/8.0.14-SNAPSHOT/
>
> Gruß
> Richard
>
>
>
> Am Donnerstag, dem 22.12.2022 um 15:18 +0100 schrieb Thomas Andraschko:
> > also created 2 issues for further dependency upgrades:
> > https://issues.apache.org/jira/browse/TOMEE-4130
> > https://issues.apache.org/jira/browse/TOMEE-4129
> >
> > is there a reason we dont have the github dependabot on master and
> > 8.0x?
> >
> > Am Do., 22. Dez. 2022 um 15:07 Uhr schrieb Thomas Andraschko <
> > andraschko.tho...@gmail.com>:
> >
> > > +1 for this as it will fix the new CXF CVE
> > >
> > > Am Mi., 21. Dez. 2022 um 11:03 Uhr schrieb Richard Zowalla <
> > > r...@apache.org>:
> > >
> > > > To follow up on that:
> > > >
> > > > I had a quick conversation with Jon about that topic.
> > > > We need to fix TOMEE-4014 (regarding the keep.version property,
> > > > see
> > > > [1]) before we can bring up a release vote.
> > > >
> > > > However, effort / focus is currently on getting 9.0 Final out of
> > > > the
> > > > door and fixing / work on the remaining 2 TCK failures. If we
> > > > have it
> > > > up for vote, we can (most certainly) bring up a 8.0.14 for vote.
> > > >
> > > > Gruß
> > > > Richard
> > > >
> > > > [1] https://github.com/apache/tomee/pull/993
> > > >
> > > > Am Dienstag, dem 06.12.2022 um 16:35 + schrieb Wiesner,
> > > > Martin:
> > > > > My vote:
> > > > > +1
> > > > >
> > > > > --
> > > > > Best
> > > > > Martin
> > > > >
> > > > > > Am 06.12.2022 um 16:25 schrieb Jean-Louis Monteiro <
> > > > > > jlmonte...@tomitribe.com>:
> > > > > >
> > > > > > I'm not -1
> > > > > >
> > > > > > But I'd definitely favor working on getting 9.0.0 final so we
> > > > > > can
> > > > > > switch to
> > > > > > Jakarta EE 10 and MicroProfile 6.0
> > > > > >
> > > > > > My vote: 0
> > > > > >
> > > > > > Le mar. 6 déc. 2022, 16:11, Swell 
> > > > > > a
> > > > > > écrit :
> > > > > >
> > > > > > > +1, we did not yet ship the fixes for the CVE, good to have
> > > > > > > them
> > > > > > > shipped
> > > > > > >
> > > > > > >
> > > > > > > On Tue, 6 Dec 2022 at 15:47, Richard Zowalla <
> > > > > > > r...@apache.org>
> > > > > > > wrote:
> > > > > > >
> > > > > > > > Hi all,
> > > > > > > >
> > > > > > > > We have some dependency updates (tomcat, cxf, hsqldb) and
> > > > > > > > some
> > > > > > > > CVE
> > > > > > > > related fixes (woodstox, shaded bcel, ...).
> > > > > > > >
> > > > > > > > I was thinking about having 8.0.14 before we all get too
> > > > > > > > stressed with
> > > > > > > > christmas, etc. and no one has time to review / test a
> > > > > > > > 8.0.14
> > > > > > > > RC.
> > > > > > > >
> > > > > > > > So my questions are:
> > > > > > > >
> > > > > > > > - What is the community's opionion regarding a 8.0.14
> > > > > > > > before
> > > > > > > > christmas?
> > > > > > > > - Are we missing any important version upgrades? Any show
> > > > > > > > stoppers?
> > > > > > > >
> > > > > > > > Here are the current changes in Jira
> > > > > > > >
> > > > > > > > https://issues.apache.org/jira/projects/TOMEE/versions/12352390
> > > > > > > >
> > > > > > > > and here is a list in plain text without the need to
> > > > > > > > login:
> > > > > > > >
> > > > > > > > == Dependency upgrade
> > > > > > > >
> > > > > > > > [.compact]
> > > > > > > > - link:
> > > > > > > > https://issues.apache.org/jira/browse/TOMEE-4100[TOMEE-4100]  X
> > > > > > > > Bean 4.22
> > > > > > > > - link:
> > > > > > > > https://issues.apache.org/jira/browse/TOMEE-4118[TOMEE-4118]
> > > > > > > > CXF 3.4.9
> > > > > > > > - link:
> > > > > > > > https://issues.apache.org/jira/browse/TOMEE-4086[TOMEE-4086]
> > > > > > > > HSQLDB 2.7.1
> > > > > > > > - link:
> > > > > > > > https://issues.apache.org/jira/browse/TOMEE-4107[TOMEE-4107]
> > > > > > > > Jackson 2.14.0
> > > > > > > > - link:
> > > > > > > > https://issues.apache.org/jira/browse/TOMEE-4116[TOMEE-4116]
> > > > > > > > Tomcat 9.0.69
> > > > > > > > - link:
> > > > > > > > https://issues.apache.org/jira/browse/TOMEE-4121[TOMEE-4121]
> > > > > > > > Tomcat 9.0.70
> > > > > > > > - link:
> > > > > 

Re: 8.0.14 next week? [Was: Having 8.0.14 before christmas? Opinions?]

[Jean-Louis Monteiro]

Thanks.
Nothing on my radar

Le mer. 11 janv. 2023, 08:13, Richard Zowalla  a écrit :

> Hi all,
>
> I would like to bring up 8.0.14 for a VOTE next week.
>
> Is there anything (dep updates, etc.) we need to include before
> proceding with the preparations?
>
> Current changes:
> https://issues.apache.org/jira/projects/TOMEE/versions/12352390
>
> CXF 3.4.10 will be the last release of the 3.4.x series, so we likely
> need to upgrade to 3.5.x but I don't think, that we should include that
> for 8.0.14 yet.
>
> Nightlies can be found here:
>
> https://repository.apache.org/content/groups/snapshots/org/apache/tomee/apache-tomee/8.0.14-SNAPSHOT/
>
> Gruß
> Richard
>
>
>
> Am Donnerstag, dem 22.12.2022 um 15:18 +0100 schrieb Thomas Andraschko:
> > also created 2 issues for further dependency upgrades:
> > https://issues.apache.org/jira/browse/TOMEE-4130
> > https://issues.apache.org/jira/browse/TOMEE-4129
> >
> > is there a reason we dont have the github dependabot on master and
> > 8.0x?
> >
> > Am Do., 22. Dez. 2022 um 15:07 Uhr schrieb Thomas Andraschko <
> > andraschko.tho...@gmail.com>:
> >
> > > +1 for this as it will fix the new CXF CVE
> > >
> > > Am Mi., 21. Dez. 2022 um 11:03 Uhr schrieb Richard Zowalla <
> > > r...@apache.org>:
> > >
> > > > To follow up on that:
> > > >
> > > > I had a quick conversation with Jon about that topic.
> > > > We need to fix TOMEE-4014 (regarding the keep.version property,
> > > > see
> > > > [1]) before we can bring up a release vote.
> > > >
> > > > However, effort / focus is currently on getting 9.0 Final out of
> > > > the
> > > > door and fixing / work on the remaining 2 TCK failures. If we
> > > > have it
> > > > up for vote, we can (most certainly) bring up a 8.0.14 for vote.
> > > >
> > > > Gruß
> > > > Richard
> > > >
> > > > [1] https://github.com/apache/tomee/pull/993
> > > >
> > > > Am Dienstag, dem 06.12.2022 um 16:35 + schrieb Wiesner,
> > > > Martin:
> > > > > My vote:
> > > > > +1
> > > > >
> > > > > --
> > > > > Best
> > > > > Martin
> > > > >
> > > > > > Am 06.12.2022 um 16:25 schrieb Jean-Louis Monteiro <
> > > > > > jlmonte...@tomitribe.com>:
> > > > > >
> > > > > > I'm not -1
> > > > > >
> > > > > > But I'd definitely favor working on getting 9.0.0 final so we
> > > > > > can
> > > > > > switch to
> > > > > > Jakarta EE 10 and MicroProfile 6.0
> > > > > >
> > > > > > My vote: 0
> > > > > >
> > > > > > Le mar. 6 déc. 2022, 16:11, Swell 
> > > > > > a
> > > > > > écrit :
> > > > > >
> > > > > > > +1, we did not yet ship the fixes for the CVE, good to have
> > > > > > > them
> > > > > > > shipped
> > > > > > >
> > > > > > >
> > > > > > > On Tue, 6 Dec 2022 at 15:47, Richard Zowalla <
> > > > > > > r...@apache.org>
> > > > > > > wrote:
> > > > > > >
> > > > > > > > Hi all,
> > > > > > > >
> > > > > > > > We have some dependency updates (tomcat, cxf, hsqldb) and
> > > > > > > > some
> > > > > > > > CVE
> > > > > > > > related fixes (woodstox, shaded bcel, ...).
> > > > > > > >
> > > > > > > > I was thinking about having 8.0.14 before we all get too
> > > > > > > > stressed with
> > > > > > > > christmas, etc. and no one has time to review / test a
> > > > > > > > 8.0.14
> > > > > > > > RC.
> > > > > > > >
> > > > > > > > So my questions are:
> > > > > > > >
> > > > > > > > - What is the community's opionion regarding a 8.0.14
> > > > > > > > before
> > > > > > > > christmas?
> > > > > > > > - Are we missing any important version upgrades? Any show
> > > > > > > > stoppers?
> > > > > > > >
> > > > > > > > Here are the current changes in Jira
> > > > > > > >
> > > > > > > >
> https://issues.apache.org/jira/projects/TOMEE/versions/12352390
> > > > > > > >
> > > > > > > > and here is a list in plain text without the need to
> > > > > > > > login:
> > > > > > > >
> > > > > > > > == Dependency upgrade
> > > > > > > >
> > > > > > > > [.compact]
> > > > > > > > - link:
> > > > > > > > https://issues.apache.org/jira/browse/TOMEE-4100[TOMEE-4100]
> X
> > > > > > > > Bean 4.22
> > > > > > > > - link:
> > > > > > > > https://issues.apache.org/jira/browse/TOMEE-4118[TOMEE-4118]
> > > > > > > > CXF 3.4.9
> > > > > > > > - link:
> > > > > > > > https://issues.apache.org/jira/browse/TOMEE-4086[TOMEE-4086]
> > > > > > > > HSQLDB 2.7.1
> > > > > > > > - link:
> > > > > > > > https://issues.apache.org/jira/browse/TOMEE-4107[TOMEE-4107]
> > > > > > > > Jackson 2.14.0
> > > > > > > > - link:
> > > > > > > > https://issues.apache.org/jira/browse/TOMEE-4116[TOMEE-4116]
> > > > > > > > Tomcat 9.0.69
> > > > > > > > - link:
> > > > > > > > https://issues.apache.org/jira/browse/TOMEE-4121[TOMEE-4121]
> > > > > > > > Tomcat 9.0.70
> > > > > > > > - link:
> > > > > > > > https://issues.apache.org/jira/browse/TOMEE-4109[TOMEE-4109]
> > > > > > > > Velocity 2.3
> > > > > > > > - link:
> > > > > > > > https://issues.apache.org/jira/browse/TOMEE-4110[TOMEE-4110]
> > > > > > > > Woodstox 6.4.0 (CVE-2022-40152)
> > > > > > > > - link:
> > > > > > > > 

8.0.14 next week? [Was: Having 8.0.14 before christmas? Opinions?]

[Richard Zowalla]

Hi all,

I would like to bring up 8.0.14 for a VOTE next week.

Is there anything (dep updates, etc.) we need to include before
proceding with the preparations?

Current changes: 
https://issues.apache.org/jira/projects/TOMEE/versions/12352390

CXF 3.4.10 will be the last release of the 3.4.x series, so we likely
need to upgrade to 3.5.x but I don't think, that we should include that
for 8.0.14 yet.

Nightlies can be found here: 
https://repository.apache.org/content/groups/snapshots/org/apache/tomee/apache-tomee/8.0.14-SNAPSHOT/

Gruß
Richard



Am Donnerstag, dem 22.12.2022 um 15:18 +0100 schrieb Thomas Andraschko:
> also created 2 issues for further dependency upgrades:
> https://issues.apache.org/jira/browse/TOMEE-4130
> https://issues.apache.org/jira/browse/TOMEE-4129
> 
> is there a reason we dont have the github dependabot on master and
> 8.0x?
> 
> Am Do., 22. Dez. 2022 um 15:07 Uhr schrieb Thomas Andraschko <
> andraschko.tho...@gmail.com>:
> 
> > +1 for this as it will fix the new CXF CVE
> > 
> > Am Mi., 21. Dez. 2022 um 11:03 Uhr schrieb Richard Zowalla <
> > r...@apache.org>:
> > 
> > > To follow up on that:
> > > 
> > > I had a quick conversation with Jon about that topic.
> > > We need to fix TOMEE-4014 (regarding the keep.version property,
> > > see
> > > [1]) before we can bring up a release vote.
> > > 
> > > However, effort / focus is currently on getting 9.0 Final out of
> > > the
> > > door and fixing / work on the remaining 2 TCK failures. If we
> > > have it
> > > up for vote, we can (most certainly) bring up a 8.0.14 for vote.
> > > 
> > > Gruß
> > > Richard
> > > 
> > > [1] https://github.com/apache/tomee/pull/993
> > > 
> > > Am Dienstag, dem 06.12.2022 um 16:35 + schrieb Wiesner,
> > > Martin:
> > > > My vote:
> > > > +1
> > > > 
> > > > --
> > > > Best
> > > > Martin
> > > > 
> > > > > Am 06.12.2022 um 16:25 schrieb Jean-Louis Monteiro <
> > > > > jlmonte...@tomitribe.com>:
> > > > > 
> > > > > I'm not -1
> > > > > 
> > > > > But I'd definitely favor working on getting 9.0.0 final so we
> > > > > can
> > > > > switch to
> > > > > Jakarta EE 10 and MicroProfile 6.0
> > > > > 
> > > > > My vote: 0
> > > > > 
> > > > > Le mar. 6 déc. 2022, 16:11, Swell 
> > > > > a
> > > > > écrit :
> > > > > 
> > > > > > +1, we did not yet ship the fixes for the CVE, good to have
> > > > > > them
> > > > > > shipped
> > > > > > 
> > > > > > 
> > > > > > On Tue, 6 Dec 2022 at 15:47, Richard Zowalla <
> > > > > > r...@apache.org>
> > > > > > wrote:
> > > > > > 
> > > > > > > Hi all,
> > > > > > > 
> > > > > > > We have some dependency updates (tomcat, cxf, hsqldb) and
> > > > > > > some
> > > > > > > CVE
> > > > > > > related fixes (woodstox, shaded bcel, ...).
> > > > > > > 
> > > > > > > I was thinking about having 8.0.14 before we all get too
> > > > > > > stressed with
> > > > > > > christmas, etc. and no one has time to review / test a
> > > > > > > 8.0.14
> > > > > > > RC.
> > > > > > > 
> > > > > > > So my questions are:
> > > > > > > 
> > > > > > > - What is the community's opionion regarding a 8.0.14
> > > > > > > before
> > > > > > > christmas?
> > > > > > > - Are we missing any important version upgrades? Any show
> > > > > > > stoppers?
> > > > > > > 
> > > > > > > Here are the current changes in Jira
> > > > > > > 
> > > > > > > https://issues.apache.org/jira/projects/TOMEE/versions/12352390
> > > > > > > 
> > > > > > > and here is a list in plain text without the need to
> > > > > > > login:
> > > > > > > 
> > > > > > > == Dependency upgrade
> > > > > > > 
> > > > > > > [.compact]
> > > > > > > - link:
> > > > > > > https://issues.apache.org/jira/browse/TOMEE-4100[TOMEE-4100]  X
> > > > > > > Bean 4.22
> > > > > > > - link:
> > > > > > > https://issues.apache.org/jira/browse/TOMEE-4118[TOMEE-4118]
> > > > > > > CXF 3.4.9
> > > > > > > - link:
> > > > > > > https://issues.apache.org/jira/browse/TOMEE-4086[TOMEE-4086]
> > > > > > > HSQLDB 2.7.1
> > > > > > > - link:
> > > > > > > https://issues.apache.org/jira/browse/TOMEE-4107[TOMEE-4107]
> > > > > > > Jackson 2.14.0
> > > > > > > - link:
> > > > > > > https://issues.apache.org/jira/browse/TOMEE-4116[TOMEE-4116]
> > > > > > > Tomcat 9.0.69
> > > > > > > - link:
> > > > > > > https://issues.apache.org/jira/browse/TOMEE-4121[TOMEE-4121]
> > > > > > > Tomcat 9.0.70
> > > > > > > - link:
> > > > > > > https://issues.apache.org/jira/browse/TOMEE-4109[TOMEE-4109]
> > > > > > > Velocity 2.3
> > > > > > > - link:
> > > > > > > https://issues.apache.org/jira/browse/TOMEE-4110[TOMEE-4110]
> > > > > > > Woodstox 6.4.0 (CVE-2022-40152)
> > > > > > > - link:
> > > > > > > https://issues.apache.org/jira/browse/TOMEE-4111[TOMEE-4111]
> > > > > > > bcel component
> > > > > > > - link:
> > > > > > > https://issues.apache.org/jira/browse/TOMEE-4094[TOMEE-4094]
> > > > > > > jackson 2.14.0-rc2
> > > > > > > - link:
> > > > > > > https://issues.apache.org/jira/browse/TOMEE-4103[TOMEE-4103]
> > > > > > > woodstox-core
> > > > > > > <
> > > 

Re: Having 8.0.14 before christmas? Opinions?

[Richard Zowalla]

Am Donnerstag, dem 22.12.2022 um 15:18 +0100 schrieb Thomas Andraschko:
> is there a reason we dont have the github dependabot on master and
> 8.0x?

It continously generates noise (especially for /examples) or promotes
incompatible changes (jakarta vs javax) all the time :-)

Therefore, it is currently disabled on main / 8.x

Re: Having 8.0.14 before christmas? Opinions?

[Thomas Andraschko]

also created 2 issues for further dependency upgrades:
https://issues.apache.org/jira/browse/TOMEE-4130
https://issues.apache.org/jira/browse/TOMEE-4129

is there a reason we dont have the github dependabot on master and 8.0x?

Am Do., 22. Dez. 2022 um 15:07 Uhr schrieb Thomas Andraschko <
andraschko.tho...@gmail.com>:

> +1 for this as it will fix the new CXF CVE
>
> Am Mi., 21. Dez. 2022 um 11:03 Uhr schrieb Richard Zowalla <
> r...@apache.org>:
>
>> To follow up on that:
>>
>> I had a quick conversation with Jon about that topic.
>> We need to fix TOMEE-4014 (regarding the keep.version property, see
>> [1]) before we can bring up a release vote.
>>
>> However, effort / focus is currently on getting 9.0 Final out of the
>> door and fixing / work on the remaining 2 TCK failures. If we have it
>> up for vote, we can (most certainly) bring up a 8.0.14 for vote.
>>
>> Gruß
>> Richard
>>
>> [1] https://github.com/apache/tomee/pull/993
>>
>> Am Dienstag, dem 06.12.2022 um 16:35 + schrieb Wiesner, Martin:
>> > My vote:
>> > +1
>> >
>> > --
>> > Best
>> > Martin
>> >
>> > > Am 06.12.2022 um 16:25 schrieb Jean-Louis Monteiro <
>> > > jlmonte...@tomitribe.com>:
>> > >
>> > > I'm not -1
>> > >
>> > > But I'd definitely favor working on getting 9.0.0 final so we can
>> > > switch to
>> > > Jakarta EE 10 and MicroProfile 6.0
>> > >
>> > > My vote: 0
>> > >
>> > > Le mar. 6 déc. 2022, 16:11, Swell  a
>> > > écrit :
>> > >
>> > > > +1, we did not yet ship the fixes for the CVE, good to have them
>> > > > shipped
>> > > >
>> > > >
>> > > > On Tue, 6 Dec 2022 at 15:47, Richard Zowalla 
>> > > > wrote:
>> > > >
>> > > > > Hi all,
>> > > > >
>> > > > > We have some dependency updates (tomcat, cxf, hsqldb) and some
>> > > > > CVE
>> > > > > related fixes (woodstox, shaded bcel, ...).
>> > > > >
>> > > > > I was thinking about having 8.0.14 before we all get too
>> > > > > stressed with
>> > > > > christmas, etc. and no one has time to review / test a 8.0.14
>> > > > > RC.
>> > > > >
>> > > > > So my questions are:
>> > > > >
>> > > > > - What is the community's opionion regarding a 8.0.14 before
>> > > > > christmas?
>> > > > > - Are we missing any important version upgrades? Any show
>> > > > > stoppers?
>> > > > >
>> > > > > Here are the current changes in Jira
>> > > > >
>> > > > > https://issues.apache.org/jira/projects/TOMEE/versions/12352390
>> > > > >
>> > > > > and here is a list in plain text without the need to login:
>> > > > >
>> > > > > == Dependency upgrade
>> > > > >
>> > > > > [.compact]
>> > > > > - link:
>> > > > > https://issues.apache.org/jira/browse/TOMEE-4100[TOMEE-4100]  X
>> > > > > Bean 4.22
>> > > > > - link:
>> > > > > https://issues.apache.org/jira/browse/TOMEE-4118[TOMEE-4118]
>> > > > > CXF 3.4.9
>> > > > > - link:
>> > > > > https://issues.apache.org/jira/browse/TOMEE-4086[TOMEE-4086]
>> > > > > HSQLDB 2.7.1
>> > > > > - link:
>> > > > > https://issues.apache.org/jira/browse/TOMEE-4107[TOMEE-4107]
>> > > > > Jackson 2.14.0
>> > > > > - link:
>> > > > > https://issues.apache.org/jira/browse/TOMEE-4116[TOMEE-4116]
>> > > > > Tomcat 9.0.69
>> > > > > - link:
>> > > > > https://issues.apache.org/jira/browse/TOMEE-4121[TOMEE-4121]
>> > > > > Tomcat 9.0.70
>> > > > > - link:
>> > > > > https://issues.apache.org/jira/browse/TOMEE-4109[TOMEE-4109]
>> > > > > Velocity 2.3
>> > > > > - link:
>> > > > > https://issues.apache.org/jira/browse/TOMEE-4110[TOMEE-4110]
>> > > > > Woodstox 6.4.0 (CVE-2022-40152)
>> > > > > - link:
>> > > > > https://issues.apache.org/jira/browse/TOMEE-4111[TOMEE-4111]
>> > > > > bcel component
>> > > > > - link:
>> > > > > https://issues.apache.org/jira/browse/TOMEE-4094[TOMEE-4094]
>> > > > > jackson 2.14.0-rc2
>> > > > > - link:
>> > > > > https://issues.apache.org/jira/browse/TOMEE-4103[TOMEE-4103]
>> > > > > woodstox-core
>> > > > > <
>> > > >
>> https://issues.apache.org/jira/browse/TOMEE-4103%5BTOMEE-4103%5Dwoodstox-core
>> > > > > mitigate CVE-2022-40153
>> > > > >
>> > > > > == Bug
>> > > > >
>> > > > > [.compact]
>> > > > > - link:
>> > > > > https://issues.apache.org/jira/browse/TOMEE-4122[TOMEE-4122]
>> > > > > Performance Regression in bean resolution in EAR files
>> > > > > - link:
>> > > > > https://issues.apache.org/jira/browse/TOMEE-4101[TOMEE-4101]
>> > > > > Typo with EL22Adaptor implementation in openwebbeans.properties
>> > > > > - link:
>> > > > > https://issues.apache.org/jira/browse/TOMEE-4102[TOMEE-4102]
>> > > > > TomEE logs SEVERE: Expected ContextBinding to have the method
>> > > > > getThreadName()
>> > > > > - link:
>> > > > > https://issues.apache.org/jira/browse/TOMEE-4014[TOMEE-4014]
>> > > > > Unable to see TomEE version in Tomcat home page with Java 17
>> > > > > - link:
>> > > > > https://issues.apache.org/jira/browse/TOMEE-4106[TOMEE-4106]
>> > > > > TomEE version no longer appearing at default manager page
>> > > > >
>> > > > > == Documentation
>> > > > >
>> > > > > [.compact]
>> > > > > - link:
>> > > > > 

Re: Having 8.0.14 before christmas? Opinions?

[Thomas Andraschko]

+1 for this as it will fix the new CXF CVE

Am Mi., 21. Dez. 2022 um 11:03 Uhr schrieb Richard Zowalla :

> To follow up on that:
>
> I had a quick conversation with Jon about that topic.
> We need to fix TOMEE-4014 (regarding the keep.version property, see
> [1]) before we can bring up a release vote.
>
> However, effort / focus is currently on getting 9.0 Final out of the
> door and fixing / work on the remaining 2 TCK failures. If we have it
> up for vote, we can (most certainly) bring up a 8.0.14 for vote.
>
> Gruß
> Richard
>
> [1] https://github.com/apache/tomee/pull/993
>
> Am Dienstag, dem 06.12.2022 um 16:35 + schrieb Wiesner, Martin:
> > My vote:
> > +1
> >
> > --
> > Best
> > Martin
> >
> > > Am 06.12.2022 um 16:25 schrieb Jean-Louis Monteiro <
> > > jlmonte...@tomitribe.com>:
> > >
> > > I'm not -1
> > >
> > > But I'd definitely favor working on getting 9.0.0 final so we can
> > > switch to
> > > Jakarta EE 10 and MicroProfile 6.0
> > >
> > > My vote: 0
> > >
> > > Le mar. 6 déc. 2022, 16:11, Swell  a
> > > écrit :
> > >
> > > > +1, we did not yet ship the fixes for the CVE, good to have them
> > > > shipped
> > > >
> > > >
> > > > On Tue, 6 Dec 2022 at 15:47, Richard Zowalla 
> > > > wrote:
> > > >
> > > > > Hi all,
> > > > >
> > > > > We have some dependency updates (tomcat, cxf, hsqldb) and some
> > > > > CVE
> > > > > related fixes (woodstox, shaded bcel, ...).
> > > > >
> > > > > I was thinking about having 8.0.14 before we all get too
> > > > > stressed with
> > > > > christmas, etc. and no one has time to review / test a 8.0.14
> > > > > RC.
> > > > >
> > > > > So my questions are:
> > > > >
> > > > > - What is the community's opionion regarding a 8.0.14 before
> > > > > christmas?
> > > > > - Are we missing any important version upgrades? Any show
> > > > > stoppers?
> > > > >
> > > > > Here are the current changes in Jira
> > > > >
> > > > > https://issues.apache.org/jira/projects/TOMEE/versions/12352390
> > > > >
> > > > > and here is a list in plain text without the need to login:
> > > > >
> > > > > == Dependency upgrade
> > > > >
> > > > > [.compact]
> > > > > - link:
> > > > > https://issues.apache.org/jira/browse/TOMEE-4100[TOMEE-4100]  X
> > > > > Bean 4.22
> > > > > - link:
> > > > > https://issues.apache.org/jira/browse/TOMEE-4118[TOMEE-4118]
> > > > > CXF 3.4.9
> > > > > - link:
> > > > > https://issues.apache.org/jira/browse/TOMEE-4086[TOMEE-4086]
> > > > > HSQLDB 2.7.1
> > > > > - link:
> > > > > https://issues.apache.org/jira/browse/TOMEE-4107[TOMEE-4107]
> > > > > Jackson 2.14.0
> > > > > - link:
> > > > > https://issues.apache.org/jira/browse/TOMEE-4116[TOMEE-4116]
> > > > > Tomcat 9.0.69
> > > > > - link:
> > > > > https://issues.apache.org/jira/browse/TOMEE-4121[TOMEE-4121]
> > > > > Tomcat 9.0.70
> > > > > - link:
> > > > > https://issues.apache.org/jira/browse/TOMEE-4109[TOMEE-4109]
> > > > > Velocity 2.3
> > > > > - link:
> > > > > https://issues.apache.org/jira/browse/TOMEE-4110[TOMEE-4110]
> > > > > Woodstox 6.4.0 (CVE-2022-40152)
> > > > > - link:
> > > > > https://issues.apache.org/jira/browse/TOMEE-4111[TOMEE-4111]
> > > > > bcel component
> > > > > - link:
> > > > > https://issues.apache.org/jira/browse/TOMEE-4094[TOMEE-4094]
> > > > > jackson 2.14.0-rc2
> > > > > - link:
> > > > > https://issues.apache.org/jira/browse/TOMEE-4103[TOMEE-4103]
> > > > > woodstox-core
> > > > > <
> > > >
> https://issues.apache.org/jira/browse/TOMEE-4103%5BTOMEE-4103%5Dwoodstox-core
> > > > > mitigate CVE-2022-40153
> > > > >
> > > > > == Bug
> > > > >
> > > > > [.compact]
> > > > > - link:
> > > > > https://issues.apache.org/jira/browse/TOMEE-4122[TOMEE-4122]
> > > > > Performance Regression in bean resolution in EAR files
> > > > > - link:
> > > > > https://issues.apache.org/jira/browse/TOMEE-4101[TOMEE-4101]
> > > > > Typo with EL22Adaptor implementation in openwebbeans.properties
> > > > > - link:
> > > > > https://issues.apache.org/jira/browse/TOMEE-4102[TOMEE-4102]
> > > > > TomEE logs SEVERE: Expected ContextBinding to have the method
> > > > > getThreadName()
> > > > > - link:
> > > > > https://issues.apache.org/jira/browse/TOMEE-4014[TOMEE-4014]
> > > > > Unable to see TomEE version in Tomcat home page with Java 17
> > > > > - link:
> > > > > https://issues.apache.org/jira/browse/TOMEE-4106[TOMEE-4106]
> > > > > TomEE version no longer appearing at default manager page
> > > > >
> > > > > == Documentation
> > > > >
> > > > > [.compact]
> > > > > - link:
> > > > > https://issues.apache.org/jira/browse/TOMEE-4104[TOMEE-4104]
> > > > > Documentation Website: XA DataSource Configuration: Bug in
> > > > > MySQL Sample
> > > > > Code
> > > > >
> > > > > == Fixed Common Vulnerabilities and Exposures (CVEs)
> > > > >
> > > > > [.compact]
> > > > > - link:
> > > > > https://issues.apache.org/jira/browse/TOMEE-4086[TOMEE-4086]
> > > > > HSQLDB 2.7.1
> > > > > - link:
> > > > > https://issues.apache.org/jira/browse/TOMEE-4111[TOMEE-4111]
> > > > > Upgrade bcel component in 

Re: Having 8.0.14 before christmas? Opinions?

[Richard Zowalla]

To follow up on that:

I had a quick conversation with Jon about that topic.
We need to fix TOMEE-4014 (regarding the keep.version property, see
[1]) before we can bring up a release vote. 

However, effort / focus is currently on getting 9.0 Final out of the
door and fixing / work on the remaining 2 TCK failures. If we have it
up for vote, we can (most certainly) bring up a 8.0.14 for vote.

Gruß
Richard

[1] https://github.com/apache/tomee/pull/993

Am Dienstag, dem 06.12.2022 um 16:35 + schrieb Wiesner, Martin:
> My vote: 
> +1
> 
> --
> Best
> Martin
> 
> > Am 06.12.2022 um 16:25 schrieb Jean-Louis Monteiro <
> > jlmonte...@tomitribe.com>:
> > 
> > I'm not -1
> > 
> > But I'd definitely favor working on getting 9.0.0 final so we can
> > switch to
> > Jakarta EE 10 and MicroProfile 6.0
> > 
> > My vote: 0
> > 
> > Le mar. 6 déc. 2022, 16:11, Swell  a
> > écrit :
> > 
> > > +1, we did not yet ship the fixes for the CVE, good to have them
> > > shipped
> > > 
> > > 
> > > On Tue, 6 Dec 2022 at 15:47, Richard Zowalla 
> > > wrote:
> > > 
> > > > Hi all,
> > > > 
> > > > We have some dependency updates (tomcat, cxf, hsqldb) and some
> > > > CVE
> > > > related fixes (woodstox, shaded bcel, ...).
> > > > 
> > > > I was thinking about having 8.0.14 before we all get too
> > > > stressed with
> > > > christmas, etc. and no one has time to review / test a 8.0.14
> > > > RC.
> > > > 
> > > > So my questions are:
> > > > 
> > > > - What is the community's opionion regarding a 8.0.14 before
> > > > christmas?
> > > > - Are we missing any important version upgrades? Any show
> > > > stoppers?
> > > > 
> > > > Here are the current changes in Jira
> > > > 
> > > > https://issues.apache.org/jira/projects/TOMEE/versions/12352390
> > > > 
> > > > and here is a list in plain text without the need to login:
> > > > 
> > > > == Dependency upgrade
> > > > 
> > > > [.compact]
> > > > - link:
> > > > https://issues.apache.org/jira/browse/TOMEE-4100[TOMEE-4100]  X
> > > > Bean 4.22
> > > > - link:
> > > > https://issues.apache.org/jira/browse/TOMEE-4118[TOMEE-4118]
> > > > CXF 3.4.9
> > > > - link:
> > > > https://issues.apache.org/jira/browse/TOMEE-4086[TOMEE-4086]
> > > > HSQLDB 2.7.1
> > > > - link:
> > > > https://issues.apache.org/jira/browse/TOMEE-4107[TOMEE-4107]
> > > > Jackson 2.14.0
> > > > - link:
> > > > https://issues.apache.org/jira/browse/TOMEE-4116[TOMEE-4116]
> > > > Tomcat 9.0.69
> > > > - link:
> > > > https://issues.apache.org/jira/browse/TOMEE-4121[TOMEE-4121]
> > > > Tomcat 9.0.70
> > > > - link:
> > > > https://issues.apache.org/jira/browse/TOMEE-4109[TOMEE-4109]
> > > > Velocity 2.3
> > > > - link:
> > > > https://issues.apache.org/jira/browse/TOMEE-4110[TOMEE-4110]
> > > > Woodstox 6.4.0 (CVE-2022-40152)
> > > > - link:
> > > > https://issues.apache.org/jira/browse/TOMEE-4111[TOMEE-4111]
> > > > bcel component
> > > > - link:
> > > > https://issues.apache.org/jira/browse/TOMEE-4094[TOMEE-4094]
> > > > jackson 2.14.0-rc2
> > > > - link:
> > > > https://issues.apache.org/jira/browse/TOMEE-4103[TOMEE-4103]
> > > > woodstox-core
> > > > <
> > > https://issues.apache.org/jira/browse/TOMEE-4103%5BTOMEE-4103%5Dwoodstox-core
> > > > mitigate CVE-2022-40153
> > > > 
> > > > == Bug
> > > > 
> > > > [.compact]
> > > > - link:
> > > > https://issues.apache.org/jira/browse/TOMEE-4122[TOMEE-4122]
> > > > Performance Regression in bean resolution in EAR files
> > > > - link:
> > > > https://issues.apache.org/jira/browse/TOMEE-4101[TOMEE-4101]
> > > > Typo with EL22Adaptor implementation in openwebbeans.properties
> > > > - link:
> > > > https://issues.apache.org/jira/browse/TOMEE-4102[TOMEE-4102]
> > > > TomEE logs SEVERE: Expected ContextBinding to have the method
> > > > getThreadName()
> > > > - link:
> > > > https://issues.apache.org/jira/browse/TOMEE-4014[TOMEE-4014]
> > > > Unable to see TomEE version in Tomcat home page with Java 17
> > > > - link:
> > > > https://issues.apache.org/jira/browse/TOMEE-4106[TOMEE-4106]
> > > > TomEE version no longer appearing at default manager page
> > > > 
> > > > == Documentation
> > > > 
> > > > [.compact]
> > > > - link:
> > > > https://issues.apache.org/jira/browse/TOMEE-4104[TOMEE-4104]
> > > > Documentation Website: XA DataSource Configuration: Bug in
> > > > MySQL Sample
> > > > Code
> > > > 
> > > > == Fixed Common Vulnerabilities and Exposures (CVEs)
> > > > 
> > > > [.compact]
> > > > - link:
> > > > https://issues.apache.org/jira/browse/TOMEE-4086[TOMEE-4086]
> > > > HSQLDB 2.7.1
> > > > - link:
> > > > https://issues.apache.org/jira/browse/TOMEE-4111[TOMEE-4111]
> > > > Upgrade bcel component in TomEE
> > > > - link:
> > > > https://issues.apache.org/jira/browse/TOMEE-4103[TOMEE-4103]
> > > > Update woodstox-core to mitigate CVE-2022-40153
> > > > 
> > > > Gruß
> > > > Richard
> > > > 
> > > > 

Re: Having 8.0.14 before christmas? Opinions?

[Wiesner, Martin]

My vote: 
+1

--
Best
Martin

> Am 06.12.2022 um 16:25 schrieb Jean-Louis Monteiro :
> 
> I'm not -1
> 
> But I'd definitely favor working on getting 9.0.0 final so we can switch to
> Jakarta EE 10 and MicroProfile 6.0
> 
> My vote: 0
> 
> Le mar. 6 déc. 2022, 16:11, Swell  a écrit :
> 
>> +1, we did not yet ship the fixes for the CVE, good to have them shipped
>> 
>> 
>> On Tue, 6 Dec 2022 at 15:47, Richard Zowalla  wrote:
>> 
>>> Hi all,
>>> 
>>> We have some dependency updates (tomcat, cxf, hsqldb) and some CVE
>>> related fixes (woodstox, shaded bcel, ...).
>>> 
>>> I was thinking about having 8.0.14 before we all get too stressed with
>>> christmas, etc. and no one has time to review / test a 8.0.14 RC.
>>> 
>>> So my questions are:
>>> 
>>> - What is the community's opionion regarding a 8.0.14 before christmas?
>>> - Are we missing any important version upgrades? Any show stoppers?
>>> 
>>> Here are the current changes in Jira
>>> 
>>> https://issues.apache.org/jira/projects/TOMEE/versions/12352390
>>> 
>>> and here is a list in plain text without the need to login:
>>> 
>>> == Dependency upgrade
>>> 
>>> [.compact]
>>> - link:https://issues.apache.org/jira/browse/TOMEE-4100[TOMEE-4100]  X
>>> Bean 4.22
>>> - link:https://issues.apache.org/jira/browse/TOMEE-4118[TOMEE-4118]
>>> CXF 3.4.9
>>> - link:https://issues.apache.org/jira/browse/TOMEE-4086[TOMEE-4086]
>>> HSQLDB 2.7.1
>>> - link:https://issues.apache.org/jira/browse/TOMEE-4107[TOMEE-4107]
>>> Jackson 2.14.0
>>> - link:https://issues.apache.org/jira/browse/TOMEE-4116[TOMEE-4116]
>>> Tomcat 9.0.69
>>> - link:https://issues.apache.org/jira/browse/TOMEE-4121[TOMEE-4121]
>>> Tomcat 9.0.70
>>> - link:https://issues.apache.org/jira/browse/TOMEE-4109[TOMEE-4109]
>>> Velocity 2.3
>>> - link:https://issues.apache.org/jira/browse/TOMEE-4110[TOMEE-4110]
>>> Woodstox 6.4.0 (CVE-2022-40152)
>>> - link:https://issues.apache.org/jira/browse/TOMEE-4111[TOMEE-4111]
>>> bcel component
>>> - link:https://issues.apache.org/jira/browse/TOMEE-4094[TOMEE-4094]
>>> jackson 2.14.0-rc2
>>> - link:https://issues.apache.org/jira/browse/TOMEE-4103[TOMEE-4103]
>>> woodstox-core
>>> <
>> https://issues.apache.org/jira/browse/TOMEE-4103%5BTOMEE-4103%5Dwoodstox-core
>>> 
>>> mitigate CVE-2022-40153
>>> 
>>> == Bug
>>> 
>>> [.compact]
>>> - link:https://issues.apache.org/jira/browse/TOMEE-4122[TOMEE-4122]
>>> Performance Regression in bean resolution in EAR files
>>> - link:https://issues.apache.org/jira/browse/TOMEE-4101[TOMEE-4101]
>>> Typo with EL22Adaptor implementation in openwebbeans.properties
>>> - link:https://issues.apache.org/jira/browse/TOMEE-4102[TOMEE-4102]
>>> TomEE logs SEVERE: Expected ContextBinding to have the method
>>> getThreadName()
>>> - link:https://issues.apache.org/jira/browse/TOMEE-4014[TOMEE-4014]
>>> Unable to see TomEE version in Tomcat home page with Java 17
>>> - link:https://issues.apache.org/jira/browse/TOMEE-4106[TOMEE-4106]
>>> TomEE version no longer appearing at default manager page
>>> 
>>> == Documentation
>>> 
>>> [.compact]
>>> - link:https://issues.apache.org/jira/browse/TOMEE-4104[TOMEE-4104]
>>> Documentation Website: XA DataSource Configuration: Bug in MySQL Sample
>>> Code
>>> 
>>> == Fixed Common Vulnerabilities and Exposures (CVEs)
>>> 
>>> [.compact]
>>> - link:https://issues.apache.org/jira/browse/TOMEE-4086[TOMEE-4086]
>>> HSQLDB 2.7.1
>>> - link:https://issues.apache.org/jira/browse/TOMEE-4111[TOMEE-4111]
>>> Upgrade bcel component in TomEE
>>> - link:https://issues.apache.org/jira/browse/TOMEE-4103[TOMEE-4103]
>>> Update woodstox-core to mitigate CVE-2022-40153
>>> 
>>> Gruß
>>> Richard
>>> 
>>> 
>> 



smime.p7s
Description: S/MIME cryptographic signature

Re: Having 8.0.14 before christmas? Opinions?

[Jean-Louis Monteiro]

I'm not -1

But I'd definitely favor working on getting 9.0.0 final so we can switch to
Jakarta EE 10 and MicroProfile 6.0

My vote: 0

Le mar. 6 déc. 2022, 16:11, Swell  a écrit :

> +1, we did not yet ship the fixes for the CVE, good to have them shipped
>
>
> On Tue, 6 Dec 2022 at 15:47, Richard Zowalla  wrote:
>
> > Hi all,
> >
> > We have some dependency updates (tomcat, cxf, hsqldb) and some CVE
> > related fixes (woodstox, shaded bcel, ...).
> >
> > I was thinking about having 8.0.14 before we all get too stressed with
> > christmas, etc. and no one has time to review / test a 8.0.14 RC.
> >
> > So my questions are:
> >
> > - What is the community's opionion regarding a 8.0.14 before christmas?
> > - Are we missing any important version upgrades? Any show stoppers?
> >
> > Here are the current changes in Jira
> >
> > https://issues.apache.org/jira/projects/TOMEE/versions/12352390
> >
> > and here is a list in plain text without the need to login:
> >
> > == Dependency upgrade
> >
> > [.compact]
> >  - link:https://issues.apache.org/jira/browse/TOMEE-4100[TOMEE-4100]  X
> > Bean 4.22
> >  - link:https://issues.apache.org/jira/browse/TOMEE-4118[TOMEE-4118]
> > CXF 3.4.9
> >  - link:https://issues.apache.org/jira/browse/TOMEE-4086[TOMEE-4086]
> > HSQLDB 2.7.1
> >  - link:https://issues.apache.org/jira/browse/TOMEE-4107[TOMEE-4107]
> > Jackson 2.14.0
> >  - link:https://issues.apache.org/jira/browse/TOMEE-4116[TOMEE-4116]
> > Tomcat 9.0.69
> >  - link:https://issues.apache.org/jira/browse/TOMEE-4121[TOMEE-4121]
> > Tomcat 9.0.70
> >  - link:https://issues.apache.org/jira/browse/TOMEE-4109[TOMEE-4109]
> > Velocity 2.3
> >  - link:https://issues.apache.org/jira/browse/TOMEE-4110[TOMEE-4110]
> > Woodstox 6.4.0 (CVE-2022-40152)
> >  - link:https://issues.apache.org/jira/browse/TOMEE-4111[TOMEE-4111]
> > bcel component
> >  - link:https://issues.apache.org/jira/browse/TOMEE-4094[TOMEE-4094]
> > jackson 2.14.0-rc2
> >  - link:https://issues.apache.org/jira/browse/TOMEE-4103[TOMEE-4103]
> > woodstox-core
> > <
> https://issues.apache.org/jira/browse/TOMEE-4103%5BTOMEE-4103%5Dwoodstox-core
> >
> > mitigate CVE-2022-40153
> >
> > == Bug
> >
> > [.compact]
> >  - link:https://issues.apache.org/jira/browse/TOMEE-4122[TOMEE-4122]
> > Performance Regression in bean resolution in EAR files
> >  - link:https://issues.apache.org/jira/browse/TOMEE-4101[TOMEE-4101]
> > Typo with EL22Adaptor implementation in openwebbeans.properties
> >  - link:https://issues.apache.org/jira/browse/TOMEE-4102[TOMEE-4102]
> > TomEE logs SEVERE: Expected ContextBinding to have the method
> > getThreadName()
> >  - link:https://issues.apache.org/jira/browse/TOMEE-4014[TOMEE-4014]
> > Unable to see TomEE version in Tomcat home page with Java 17
> >  - link:https://issues.apache.org/jira/browse/TOMEE-4106[TOMEE-4106]
> > TomEE version no longer appearing at default manager page
> >
> > == Documentation
> >
> > [.compact]
> >  - link:https://issues.apache.org/jira/browse/TOMEE-4104[TOMEE-4104]
> > Documentation Website: XA DataSource Configuration: Bug in MySQL Sample
> > Code
> >
> > == Fixed Common Vulnerabilities and Exposures (CVEs)
> >
> > [.compact]
> >  - link:https://issues.apache.org/jira/browse/TOMEE-4086[TOMEE-4086]
> > HSQLDB 2.7.1
> >  - link:https://issues.apache.org/jira/browse/TOMEE-4111[TOMEE-4111]
> > Upgrade bcel component in TomEE
> >  - link:https://issues.apache.org/jira/browse/TOMEE-4103[TOMEE-4103]
> > Update woodstox-core to mitigate CVE-2022-40153
> >
> > Gruß
> > Richard
> >
> >
>

Re: Having 8.0.14 before christmas? Opinions?

[Swell]

+1, we did not yet ship the fixes for the CVE, good to have them shipped


On Tue, 6 Dec 2022 at 15:47, Richard Zowalla  wrote:

> Hi all,
>
> We have some dependency updates (tomcat, cxf, hsqldb) and some CVE
> related fixes (woodstox, shaded bcel, ...).
>
> I was thinking about having 8.0.14 before we all get too stressed with
> christmas, etc. and no one has time to review / test a 8.0.14 RC.
>
> So my questions are:
>
> - What is the community's opionion regarding a 8.0.14 before christmas?
> - Are we missing any important version upgrades? Any show stoppers?
>
> Here are the current changes in Jira
>
> https://issues.apache.org/jira/projects/TOMEE/versions/12352390
>
> and here is a list in plain text without the need to login:
>
> == Dependency upgrade
>
> [.compact]
>  - link:https://issues.apache.org/jira/browse/TOMEE-4100[TOMEE-4100]  X
> Bean 4.22
>  - link:https://issues.apache.org/jira/browse/TOMEE-4118[TOMEE-4118]
> CXF 3.4.9
>  - link:https://issues.apache.org/jira/browse/TOMEE-4086[TOMEE-4086]
> HSQLDB 2.7.1
>  - link:https://issues.apache.org/jira/browse/TOMEE-4107[TOMEE-4107]
> Jackson 2.14.0
>  - link:https://issues.apache.org/jira/browse/TOMEE-4116[TOMEE-4116]
> Tomcat 9.0.69
>  - link:https://issues.apache.org/jira/browse/TOMEE-4121[TOMEE-4121]
> Tomcat 9.0.70
>  - link:https://issues.apache.org/jira/browse/TOMEE-4109[TOMEE-4109]
> Velocity 2.3
>  - link:https://issues.apache.org/jira/browse/TOMEE-4110[TOMEE-4110]
> Woodstox 6.4.0 (CVE-2022-40152)
>  - link:https://issues.apache.org/jira/browse/TOMEE-4111[TOMEE-4111]
> bcel component
>  - link:https://issues.apache.org/jira/browse/TOMEE-4094[TOMEE-4094]
> jackson 2.14.0-rc2
>  - link:https://issues.apache.org/jira/browse/TOMEE-4103[TOMEE-4103]
> woodstox-core
> 
> mitigate CVE-2022-40153
>
> == Bug
>
> [.compact]
>  - link:https://issues.apache.org/jira/browse/TOMEE-4122[TOMEE-4122]
> Performance Regression in bean resolution in EAR files
>  - link:https://issues.apache.org/jira/browse/TOMEE-4101[TOMEE-4101]
> Typo with EL22Adaptor implementation in openwebbeans.properties
>  - link:https://issues.apache.org/jira/browse/TOMEE-4102[TOMEE-4102]
> TomEE logs SEVERE: Expected ContextBinding to have the method
> getThreadName()
>  - link:https://issues.apache.org/jira/browse/TOMEE-4014[TOMEE-4014]
> Unable to see TomEE version in Tomcat home page with Java 17
>  - link:https://issues.apache.org/jira/browse/TOMEE-4106[TOMEE-4106]
> TomEE version no longer appearing at default manager page
>
> == Documentation
>
> [.compact]
>  - link:https://issues.apache.org/jira/browse/TOMEE-4104[TOMEE-4104]
> Documentation Website: XA DataSource Configuration: Bug in MySQL Sample
> Code
>
> == Fixed Common Vulnerabilities and Exposures (CVEs)
>
> [.compact]
>  - link:https://issues.apache.org/jira/browse/TOMEE-4086[TOMEE-4086]
> HSQLDB 2.7.1
>  - link:https://issues.apache.org/jira/browse/TOMEE-4111[TOMEE-4111]
> Upgrade bcel component in TomEE
>  - link:https://issues.apache.org/jira/browse/TOMEE-4103[TOMEE-4103]
> Update woodstox-core to mitigate CVE-2022-40153
>
> Gruß
> Richard
>
>

Having 8.0.14 before christmas? Opinions?

[Richard Zowalla]

Hi all,

We have some dependency updates (tomcat, cxf, hsqldb) and some CVE
related fixes (woodstox, shaded bcel, ...). 

I was thinking about having 8.0.14 before we all get too stressed with
christmas, etc. and no one has time to review / test a 8.0.14 RC.

So my questions are:

- What is the community's opionion regarding a 8.0.14 before christmas?
- Are we missing any important version upgrades? Any show stoppers?

Here are the current changes in Jira

https://issues.apache.org/jira/projects/TOMEE/versions/12352390

and here is a list in plain text without the need to login:

== Dependency upgrade

[.compact]
 - link:https://issues.apache.org/jira/browse/TOMEE-4100[TOMEE-4100]  X
Bean 4.22
 - link:https://issues.apache.org/jira/browse/TOMEE-4118[TOMEE-4118]
CXF 3.4.9
 - link:https://issues.apache.org/jira/browse/TOMEE-4086[TOMEE-4086]
HSQLDB 2.7.1
 - link:https://issues.apache.org/jira/browse/TOMEE-4107[TOMEE-4107]
Jackson 2.14.0
 - link:https://issues.apache.org/jira/browse/TOMEE-4116[TOMEE-4116]
Tomcat 9.0.69
 - link:https://issues.apache.org/jira/browse/TOMEE-4121[TOMEE-4121]
Tomcat 9.0.70
 - link:https://issues.apache.org/jira/browse/TOMEE-4109[TOMEE-4109]
Velocity 2.3
 - link:https://issues.apache.org/jira/browse/TOMEE-4110[TOMEE-4110]
Woodstox 6.4.0 (CVE-2022-40152)
 - link:https://issues.apache.org/jira/browse/TOMEE-4111[TOMEE-4111]
bcel component
 - link:https://issues.apache.org/jira/browse/TOMEE-4094[TOMEE-4094]
jackson 2.14.0-rc2
 - link:https://issues.apache.org/jira/browse/TOMEE-4103[TOMEE-4103]
woodstox-core mitigate CVE-2022-40153

== Bug

[.compact]
 - link:https://issues.apache.org/jira/browse/TOMEE-4122[TOMEE-4122]
Performance Regression in bean resolution in EAR files
 - link:https://issues.apache.org/jira/browse/TOMEE-4101[TOMEE-4101]
Typo with EL22Adaptor implementation in openwebbeans.properties 
 - link:https://issues.apache.org/jira/browse/TOMEE-4102[TOMEE-4102]
TomEE logs SEVERE: Expected ContextBinding to have the method getThreadName()
 - link:https://issues.apache.org/jira/browse/TOMEE-4014[TOMEE-4014]
Unable to see TomEE version in Tomcat home page with Java 17
 - link:https://issues.apache.org/jira/browse/TOMEE-4106[TOMEE-4106]
TomEE version no longer appearing at default manager page

== Documentation

[.compact]
 - link:https://issues.apache.org/jira/browse/TOMEE-4104[TOMEE-4104]
Documentation Website: XA DataSource Configuration: Bug in MySQL Sample Code

== Fixed Common Vulnerabilities and Exposures (CVEs)

[.compact]
 - link:https://issues.apache.org/jira/browse/TOMEE-4086[TOMEE-4086]
HSQLDB 2.7.1
 - link:https://issues.apache.org/jira/browse/TOMEE-4111[TOMEE-4111]
Upgrade bcel component in TomEE
 - link:https://issues.apache.org/jira/browse/TOMEE-4103[TOMEE-4103]
Update woodstox-core to mitigate CVE-2022-40153

Gruß
Richard