Re: [VOTE] Apache TomEE 7.1.5

Tue, 02 Aug 2022 05:37:38 -0700 

Hello,

[-1] (non binding)

Indeed, I downloaded TomEE+ 7.1.5 binary (from
https://dist.apache.org/repos/dist/dev/tomee/staging-1206/tomee-7.1.5/apache-tomee-7.1.5-plus.tar.gz)
and then I ran Grype (https://github.com/anchore/grype) on TomEE+'s
archive extract directory.

That gives 2 Critical and 125 High CVEs (see attached Grype output for
this scan).

I agree with whoever will say that Grype isn't quite smart, but
nevertheless the world is now paranoid with security matter.

I don't think releasing a "last 7.1.x" version with CVEs would be of
any good, so Grype's output is all false positive, then at least we
need a statement to avoid confusion in this page:
https://tomee.apache.org/security/tomee.html

Please also note in attached Grype output the Warning lines related to
archive-xbean-asm6-shaded-4.8.jar: isn't that showing a somehow
malformed MANIFEST ?

Thanks,
Alex

Le lun. 1 août 2022 à 19:35, Richard Zowalla <r...@apache.org> a écrit :
>
> Hi all,
>
> this is a first attempt at a vote for a release of Apache TomEE 7.1.5
>
> It is a maintenance release with some bug fixes and dependencies
> upgrades for which were was some interest on the list.
>
> Yet, a discussion, if this will be the last release of the 7.1.x
> series, is pending.
>
> Here are some infos:
>
> Maven Repo:
> https://repository.apache.org/content/repositories/orgapachetomee-1206
>
>   <repositories>
>     <repository>
>       <id>tomee-7.1.5-release-test</id>
>       <name>Testing TomEE 7.1.5 release candidate</name>
> <url>
> https://repository.apache.org/content/repositories/orgapachetomee-1206
> </url>
>     </repository>
>   </repositories>
>
>
> Binaries & Source:
> https://dist.apache.org/repos/dist/dev/tomee/staging-1206/
>
> Tag:
> https://github.com/apache/tomee/tree/tomee-project-7.1.5
>
> Latest (green) CI/CD build:
>
> https://ci-builds.apache.org/job/Tomee/job/tomee-7.1.x/19/
>
> Release notes:
> https://issues.apache.org/jira/secure/ReleaseNote.jspa?projectId=12312320&version=12349482
>
>
> Here is an adoc generated version of the changelog as well:
>
>
> == Dependency upgrade
>
> [.compact]
>  - link:https://issues.apache.org/jira/browse/TOMEE-2959[TOMEE-959]2  j
> ackson 2.12.0
>  - link:https://issues.apache.org/jira/browse/TOMEE-3941[TOMEE-3941]
> ActiveMQ 5.16.5
>  - link:https://issues.apache.org/jira/browse/TOMEE-3985[TOMEE-3985]
> BatchEE 1.0.2
>  - link:https://issues.apache.org/jira/browse/TOMEE-3772[TOMEE-3772]
> JUnit 4.13.2
>  - link:https://issues.apache.org/jira/browse/TOMEE-2979[TOMEE-2979]
> MyFaces 2.2.14
>  - link:https://issues.apache.org/jira/browse/TOMEE-4016[TOMEE-4016]
> Myfaces 2.2.15
>  - link:https://issues.apache.org/jira/browse/TOMEE-2958[TOMEE-2958]
> Tomcat 8.5.61
>  - link:https://issues.apache.org/jira/browse/TOMEE-4017[TOMEE-4017]
> Tomcat 8.5.81
>  - link:https://issues.apache.org/jira/browse/TOMEE-2939[TOMEE-2939]
> bcprov-jdk15on 1.67
>  - link:https://issues.apache.org/jira/browse/TOMEE-4018[TOMEE-4018]
> bcprov-jdk15on 1.70
>  - link:https://issues.apache.org/jira/browse/TOMEE-3719[TOMEE-3719]
> commons-io 2.8
>
> == Bug
>
> [.compact]
>  - link:https://issues.apache.org/jira/browse/TOMEE-2919[TOMEE-2919]
> java.util.ConcurrentModificationException error deploying ear in TomEE Plus 
> 7.1.4
>  - link:https://issues.apache.org/jira/browse/TOMEE-2968[TOMEE-2968]
> Postgres connection error when a password contains "}"
>  - link:https://issues.apache.org/jira/browse/TOMEE-2125[TOMEE-2125]
> Datasource config: MaxWait, timeBetweenEvictionRunsMillis and 
> MinEvictableIdleTimeMillis are ignored
>  - link:https://issues.apache.org/jira/browse/TOMEE-3718[TOMEE-3718]
> Missing mime mappings
>
> == Improvement
>
> [.compact]
>  - link:https://issues.apache.org/jira/browse/TOMEE-2957[TOMEE-2957]
> Fix OWASP Checks on ASF Jenkins Environment
>  - link:https://issues.apache.org/jira/browse/TOMEE-2973[TOMEE-2973]
> TomEE :: Examples :: JSF2/CDI/BV/JPA/DeltaSpike uses too old version of 
> commons-lang3
>
>
> Please VOTE
>
> [+1] go ship it
> [+0] meh, don't care
> [-1] stop, there is a ${showstopper}
>
> The VOTE is open for 72h or as long as needed.
>
> Gruß
> Richard
>

[0000]  WARN java manifest 
"/tmp/syft-archive-contents-889230378/archive-xbean-asm6-shaded-4.8.jar": found 
continuation with no previous key: "          
org.apache.xbean.asm6.signature;version=\"[6.1.1,6.1.1]\"," 
from-lib=syft
[0000]  WARN java manifest 
"/tmp/syft-archive-contents-889230378/archive-xbean-asm6-shaded-4.8.jar": found 
continuation with no previous key: "          
org.apache.xbean.asm6.commons;version=\"[6.1.1,6.1.1]\"," 
from-lib=syft
[0000]  WARN java manifest 
"/tmp/syft-archive-contents-889230378/archive-xbean-asm6-shaded-4.8.jar": found 
continuation with no previous key: "        
org.apache.xbean.asm6.tree;version=\"[6.1.1,6.1.1]\"" from-lib=syft
[0000]  WARN java manifest 
"/tmp/syft-archive-contents-889230378/archive-xbean-asm6-shaded-4.8.jar": found 
continuation with no previous key: "          
org.apache.xbean.asm6;version=6.1.1," from-lib=syft
[0000]  WARN java manifest 
"/tmp/syft-archive-contents-889230378/archive-xbean-asm6-shaded-4.8.jar": found 
continuation with no previous key: "            org.apache." 
from-lib=syft
[0000]  WARN java manifest 
"/tmp/syft-archive-contents-889230378/archive-xbean-asm6-shaded-4.8.jar": found 
continuation with no previous key: " xbean.asm6.signature;version=6.1.1," 
from-lib=syft
[0000]  WARN java manifest 
"/tmp/syft-archive-contents-889230378/archive-xbean-asm6-shaded-4.8.jar": found 
continuation with no previous key: "            org.apache.xbean.asm6" 
from-lib=syft
[0000]  WARN java manifest 
"/tmp/syft-archive-contents-889230378/archive-xbean-asm6-shaded-4.8.jar": found 
continuation with no previous key: " .commons;version=6.1.1," 
from-lib=syft
[0000]  WARN java manifest 
"/tmp/syft-archive-contents-889230378/archive-xbean-asm6-shaded-4.8.jar": found 
continuation with no previous key: "            
org.apache.xbean.asm6.tree;versio" from-lib=syft
[0000]  WARN java manifest 
"/tmp/syft-archive-contents-889230378/archive-xbean-asm6-shaded-4.8.jar": found 
continuation with no previous key: " n=6.1.1" from-lib=syft
[0000]  WARN java manifest section found without a name: 
/tmp/syft-archive-contents-889230378/archive-xbean-asm6-shaded-4.8.jar 
from-lib=syft
[0000]  WARN java manifest section found without a name: 
/tmp/syft-archive-contents-889230378/archive-xbean-asm6-shaded-4.8.jar 
from-lib=syft
NAME                               INSTALLED       FIXED-IN  TYPE          
VULNERABILITY        SEVERITY 
activemq-protobuf                  1.1                       java-archive  
CVE-2010-0684        Low       
activemq-protobuf                  1.1                       java-archive  
CVE-2016-3088        Critical  
activemq-protobuf                  1.1                       java-archive  
CVE-2013-1880        Medium    
activemq-protobuf                  1.1                       java-archive  
CVE-2012-6092        Medium    
activemq-protobuf                  1.1                       java-archive  
CVE-2018-11775       High      
activemq-protobuf                  1.1                       java-archive  
CVE-2012-6551        Medium    
activemq-protobuf                  1.1                       java-archive  
CVE-2015-7559        Medium    
activemq-protobuf                  1.1                       java-archive  
CVE-2020-13920       Medium    
activemq-protobuf                  1.1                       java-archive  
CVE-2011-4905        Medium    
activemq-protobuf                  1.1                       java-archive  
CVE-2012-5784        Medium    
activemq-protobuf                  1.1                       java-archive  
CVE-2010-1244        Medium    
activemq-protobuf                  1.1                       java-archive  
CVE-2020-13947       Medium    
activemq-protobuf                  1.1                       java-archive  
CVE-2013-3060        Medium    
activemq-protobuf                  1.1                       java-archive  
CVE-2014-3576        High      
activemq-protobuf                  1.1                       java-archive  
CVE-2013-1879        Medium    
cxf-core                           3.1.18                    java-archive  
CVE-2021-30468       High      
cxf-core                           3.1.18                    java-archive  
CVE-2019-12423       High      
cxf-core                           3.1.18                    java-archive  
CVE-2019-12406       Medium    
cxf-core                           3.1.18                    java-archive  
CVE-2020-13954       Medium    
cxf-core                           3.1.18                    java-archive  
CVE-2021-22696       High      
cxf-core                           3.1.18                    java-archive  
CVE-2020-1954        Medium    
cxf-rt-bindings-soap               3.1.18                    java-archive  
CVE-2021-22696       High      
cxf-rt-bindings-soap               3.1.18                    java-archive  
CVE-2019-12423       High      
cxf-rt-bindings-soap               3.1.18                    java-archive  
CVE-2020-1954        Medium    
cxf-rt-bindings-soap               3.1.18                    java-archive  
CVE-2019-12406       Medium    
cxf-rt-bindings-soap               3.1.18                    java-archive  
CVE-2021-30468       High      
cxf-rt-bindings-soap               3.1.18                    java-archive  
CVE-2020-13954       Medium    
cxf-rt-bindings-xml                3.1.18                    java-archive  
CVE-2020-13954       Medium    
cxf-rt-bindings-xml                3.1.18                    java-archive  
CVE-2019-12423       High      
cxf-rt-bindings-xml                3.1.18                    java-archive  
CVE-2020-1954        Medium    
cxf-rt-bindings-xml                3.1.18                    java-archive  
CVE-2021-22696       High      
cxf-rt-bindings-xml                3.1.18                    java-archive  
CVE-2019-12406       Medium    
cxf-rt-bindings-xml                3.1.18                    java-archive  
CVE-2021-30468       High      
cxf-rt-databinding-jaxb            3.1.18                    java-archive  
CVE-2021-22696       High      
cxf-rt-databinding-jaxb            3.1.18                    java-archive  
CVE-2020-13954       Medium    
cxf-rt-databinding-jaxb            3.1.18                    java-archive  
CVE-2019-12423       High      
cxf-rt-databinding-jaxb            3.1.18                    java-archive  
CVE-2021-30468       High      
cxf-rt-databinding-jaxb            3.1.18                    java-archive  
CVE-2020-1954        Medium    
cxf-rt-databinding-jaxb            3.1.18                    java-archive  
CVE-2019-12406       Medium    
cxf-rt-frontend-jaxrs              3.1.18                    java-archive  
CVE-2021-22696       High      
cxf-rt-frontend-jaxrs              3.1.18                    java-archive  
CVE-2020-13954       Medium    
cxf-rt-frontend-jaxrs              3.1.18                    java-archive  
CVE-2019-12423       High      
cxf-rt-frontend-jaxrs              3.1.18                    java-archive  
CVE-2020-1954        Medium    
cxf-rt-frontend-jaxrs              3.1.18                    java-archive  
CVE-2021-30468       High      
cxf-rt-frontend-jaxrs              3.1.18                    java-archive  
CVE-2019-12406       Medium    
cxf-rt-frontend-jaxws              3.1.18                    java-archive  
CVE-2021-30468       High      
cxf-rt-frontend-jaxws              3.1.18                    java-archive  
CVE-2020-13954       Medium    
cxf-rt-frontend-jaxws              3.1.18                    java-archive  
CVE-2019-12423       High      
cxf-rt-frontend-jaxws              3.1.18                    java-archive  
CVE-2019-12406       Medium    
cxf-rt-frontend-jaxws              3.1.18                    java-archive  
CVE-2021-22696       High      
cxf-rt-frontend-jaxws              3.1.18                    java-archive  
CVE-2020-1954        Medium    
cxf-rt-frontend-simple             3.1.18                    java-archive  
CVE-2021-30468       High      
cxf-rt-frontend-simple             3.1.18                    java-archive  
CVE-2020-13954       Medium    
cxf-rt-frontend-simple             3.1.18                    java-archive  
CVE-2019-12406       Medium    
cxf-rt-frontend-simple             3.1.18                    java-archive  
CVE-2019-12423       High      
cxf-rt-frontend-simple             3.1.18                    java-archive  
CVE-2021-22696       High      
cxf-rt-frontend-simple             3.1.18                    java-archive  
CVE-2020-1954        Medium    
cxf-rt-management                  3.1.18                    java-archive  
CVE-2020-13954       Medium    
cxf-rt-management                  3.1.18                    java-archive  
CVE-2020-1954        Medium    
cxf-rt-management                  3.1.18                    java-archive  
CVE-2019-12406       Medium    
cxf-rt-management                  3.1.18                    java-archive  
CVE-2019-12423       High      
cxf-rt-management                  3.1.18                    java-archive  
CVE-2021-22696       High      
cxf-rt-management                  3.1.18                    java-archive  
CVE-2021-30468       High      
cxf-rt-rs-client                   3.1.18                    java-archive  
CVE-2020-1954        Medium    
cxf-rt-rs-client                   3.1.18                    java-archive  
CVE-2021-22696       High      
cxf-rt-rs-client                   3.1.18                    java-archive  
CVE-2021-30468       High      
cxf-rt-rs-client                   3.1.18                    java-archive  
CVE-2019-12423       High      
cxf-rt-rs-client                   3.1.18                    java-archive  
CVE-2020-13954       Medium    
cxf-rt-rs-client                   3.1.18                    java-archive  
CVE-2019-12406       Medium    
cxf-rt-rs-extension-providers      3.1.18                    java-archive  
CVE-2020-1954        Medium    
cxf-rt-rs-extension-providers      3.1.18                    java-archive  
CVE-2021-30468       High      
cxf-rt-rs-extension-providers      3.1.18                    java-archive  
CVE-2021-22696       High      
cxf-rt-rs-extension-providers      3.1.18                    java-archive  
CVE-2019-12406       Medium    
cxf-rt-rs-extension-providers      3.1.18                    java-archive  
CVE-2019-12423       High      
cxf-rt-rs-extension-providers      3.1.18                    java-archive  
CVE-2020-13954       Medium    
cxf-rt-rs-extension-search         3.1.18                    java-archive  
CVE-2019-12423       High      
cxf-rt-rs-extension-search         3.1.18                    java-archive  
CVE-2021-30468       High      
cxf-rt-rs-extension-search         3.1.18                    java-archive  
CVE-2019-12406       Medium    
cxf-rt-rs-extension-search         3.1.18                    java-archive  
CVE-2020-13954       Medium    
cxf-rt-rs-extension-search         3.1.18                    java-archive  
CVE-2021-22696       High      
cxf-rt-rs-extension-search         3.1.18                    java-archive  
CVE-2020-1954        Medium    
cxf-rt-rs-json-basic               3.1.18                    java-archive  
CVE-2020-1954        Medium    
cxf-rt-rs-json-basic               3.1.18                    java-archive  
CVE-2021-22696       High      
cxf-rt-rs-json-basic               3.1.18                    java-archive  
CVE-2019-12406       Medium    
cxf-rt-rs-json-basic               3.1.18                    java-archive  
CVE-2019-12423       High      
cxf-rt-rs-json-basic               3.1.18                    java-archive  
CVE-2021-30468       High      
cxf-rt-rs-json-basic               3.1.18                    java-archive  
CVE-2020-13954       Medium    
cxf-rt-rs-security-cors            3.1.18                    java-archive  
CVE-2019-12406       Medium    
cxf-rt-rs-security-cors            3.1.18                    java-archive  
CVE-2020-1954        Medium    
cxf-rt-rs-security-cors            3.1.18                    java-archive  
CVE-2021-22696       High      
cxf-rt-rs-security-cors            3.1.18                    java-archive  
CVE-2020-13954       Medium    
cxf-rt-rs-security-cors            3.1.18                    java-archive  
CVE-2021-30468       High      
cxf-rt-rs-security-cors            3.1.18                    java-archive  
CVE-2019-12423       High      
cxf-rt-rs-security-jose            3.1.18                    java-archive  
CVE-2020-13954       Medium    
cxf-rt-rs-security-jose            3.1.18                    java-archive  
CVE-2021-30468       High      
cxf-rt-rs-security-jose            3.1.18                    java-archive  
CVE-2021-22696       High      
cxf-rt-rs-security-jose            3.1.18                    java-archive  
CVE-2019-12406       Medium    
cxf-rt-rs-security-jose            3.1.18                    java-archive  
CVE-2019-12423       High      
cxf-rt-rs-security-jose            3.1.18                    java-archive  
CVE-2020-1954        Medium    
cxf-rt-rs-security-jose-jaxrs      3.1.18                    java-archive  
CVE-2019-12406       Medium    
cxf-rt-rs-security-jose-jaxrs      3.1.18                    java-archive  
CVE-2019-12423       High      
cxf-rt-rs-security-jose-jaxrs      3.1.18                    java-archive  
CVE-2021-30468       High      
cxf-rt-rs-security-jose-jaxrs      3.1.18                    java-archive  
CVE-2020-1954        Medium    
cxf-rt-rs-security-jose-jaxrs      3.1.18                    java-archive  
CVE-2020-13954       Medium    
cxf-rt-rs-security-jose-jaxrs      3.1.18                    java-archive  
CVE-2021-22696       High      
cxf-rt-rs-security-oauth2          3.1.18                    java-archive  
CVE-2021-30468       High      
cxf-rt-rs-security-oauth2          3.1.18                    java-archive  
CVE-2020-1954        Medium    
cxf-rt-rs-security-oauth2          3.1.18                    java-archive  
CVE-2021-22696       High      
cxf-rt-rs-security-oauth2          3.1.18                    java-archive  
CVE-2019-12423       High      
cxf-rt-rs-security-oauth2          3.1.18                    java-archive  
CVE-2019-12406       Medium    
cxf-rt-rs-security-oauth2          3.1.18                    java-archive  
CVE-2020-13954       Medium    
cxf-rt-rs-service-description      3.1.18                    java-archive  
CVE-2019-12406       Medium    
cxf-rt-rs-service-description      3.1.18                    java-archive  
CVE-2021-22696       High      
cxf-rt-rs-service-description      3.1.18                    java-archive  
CVE-2019-12423       High      
cxf-rt-rs-service-description      3.1.18                    java-archive  
CVE-2020-13954       Medium    
cxf-rt-rs-service-description      3.1.18                    java-archive  
CVE-2020-1954        Medium    
cxf-rt-rs-service-description      3.1.18                    java-archive  
CVE-2021-30468       High      
cxf-rt-security                    3.1.18                    java-archive  
CVE-2021-30468       High      
cxf-rt-security                    3.1.18                    java-archive  
CVE-2021-22696       High      
cxf-rt-security                    3.1.18                    java-archive  
CVE-2020-1954        Medium    
cxf-rt-security                    3.1.18                    java-archive  
CVE-2019-12406       Medium    
cxf-rt-security                    3.1.18                    java-archive  
CVE-2020-13954       Medium    
cxf-rt-security                    3.1.18                    java-archive  
CVE-2019-12423       High      
cxf-rt-security-saml               3.1.18                    java-archive  
CVE-2020-13954       Medium    
cxf-rt-security-saml               3.1.18                    java-archive  
CVE-2020-1954        Medium    
cxf-rt-security-saml               3.1.18                    java-archive  
CVE-2019-12406       Medium    
cxf-rt-security-saml               3.1.18                    java-archive  
CVE-2021-22696       High      
cxf-rt-security-saml               3.1.18                    java-archive  
CVE-2019-12423       High      
cxf-rt-security-saml               3.1.18                    java-archive  
CVE-2021-30468       High      
cxf-rt-transports-http             3.1.18                    java-archive  
CVE-2019-12406       Medium    
cxf-rt-transports-http             3.1.18                    java-archive  
CVE-2020-13954       Medium    
cxf-rt-transports-http             3.1.18                    java-archive  
CVE-2019-12423       High      
cxf-rt-transports-http             3.1.18                    java-archive  
CVE-2021-30468       High      
cxf-rt-transports-http             3.1.18                    java-archive  
CVE-2021-22696       High      
cxf-rt-transports-http             3.1.18                    java-archive  
CVE-2020-1954        Medium    
cxf-rt-ws-addr                     3.1.18                    java-archive  
CVE-2020-1954        Medium    
cxf-rt-ws-addr                     3.1.18                    java-archive  
CVE-2019-12406       Medium    
cxf-rt-ws-addr                     3.1.18                    java-archive  
CVE-2021-22696       High      
cxf-rt-ws-addr                     3.1.18                    java-archive  
CVE-2020-13954       Medium    
cxf-rt-ws-addr                     3.1.18                    java-archive  
CVE-2019-12423       High      
cxf-rt-ws-addr                     3.1.18                    java-archive  
CVE-2021-30468       High      
cxf-rt-ws-policy                   3.1.18                    java-archive  
CVE-2021-22696       High      
cxf-rt-ws-policy                   3.1.18                    java-archive  
CVE-2020-1954        Medium    
cxf-rt-ws-policy                   3.1.18                    java-archive  
CVE-2019-12406       Medium    
cxf-rt-ws-policy                   3.1.18                    java-archive  
CVE-2019-12423       High      
cxf-rt-ws-policy                   3.1.18                    java-archive  
CVE-2020-13954       Medium    
cxf-rt-ws-policy                   3.1.18                    java-archive  
CVE-2021-30468       High      
cxf-rt-ws-security                 3.1.18                    java-archive  
CVE-2019-12423       High      
cxf-rt-ws-security                 3.1.18                    java-archive  
CVE-2019-12406       Medium    
cxf-rt-ws-security                 3.1.18                    java-archive  
CVE-2021-22696       High      
cxf-rt-ws-security                 3.1.18                    java-archive  
CVE-2020-1954        Medium    
cxf-rt-ws-security                 3.1.18                    java-archive  
CVE-2021-30468       High      
cxf-rt-ws-security                 3.1.18                    java-archive  
CVE-2020-13954       Medium    
cxf-rt-wsdl                        3.1.18                    java-archive  
CVE-2021-30468       High      
cxf-rt-wsdl                        3.1.18                    java-archive  
CVE-2020-13954       Medium    
cxf-rt-wsdl                        3.1.18                    java-archive  
CVE-2019-12406       Medium    
cxf-rt-wsdl                        3.1.18                    java-archive  
CVE-2021-22696       High      
cxf-rt-wsdl                        3.1.18                    java-archive  
CVE-2020-1954        Medium    
cxf-rt-wsdl                        3.1.18                    java-archive  
CVE-2019-12423       High      
geronimo-activation_1.1_spec       1.1                       java-archive  
CVE-2011-5034        High      
geronimo-activation_1.1_spec       1.1                       java-archive  
CVE-2008-0732        Low       
geronimo-annotation_1.2_spec       1.0                       java-archive  
CVE-2008-0732        Low       
geronimo-annotation_1.2_spec       1.0                       java-archive  
CVE-2011-5034        High      
geronimo-annotation_1.2_spec       1.0                       java-archive  
CVE-2006-0254        Medium    
geronimo-atinject_1.0_spec         1.0                       java-archive  
CVE-2006-0254        Medium    
geronimo-atinject_1.0_spec         1.0                       java-archive  
CVE-2011-5034        High      
geronimo-atinject_1.0_spec         1.0                       java-archive  
CVE-2008-0732        Low       
geronimo-concurrent_1.0_spec       1.0-alpha-1               java-archive  
CVE-2011-5034        High      
geronimo-concurrent_1.0_spec       1.0-alpha-1               java-archive  
CVE-2008-0732        Low       
geronimo-connector                 3.1.4                     java-archive  
CVE-2008-0732        Low       
geronimo-ejb_3.2_spec              1.0-alpha-1               java-archive  
CVE-2008-0732        Low       
geronimo-ejb_3.2_spec              1.0-alpha-1               java-archive  
CVE-2011-5034        High      
geronimo-interceptor_1.2_spec      1.0                       java-archive  
CVE-2011-5034        High      
geronimo-interceptor_1.2_spec      1.0                       java-archive  
CVE-2008-0732        Low       
geronimo-interceptor_1.2_spec      1.0                       java-archive  
CVE-2006-0254        Medium    
geronimo-j2ee-connector_1.6_spec   1.0                       java-archive  
CVE-2008-0732        Low       
geronimo-j2ee-connector_1.6_spec   1.0                       java-archive  
CVE-2011-5034        High      
geronimo-j2ee-connector_1.6_spec   1.0                       java-archive  
CVE-2006-0254        Medium    
geronimo-j2ee-deployment_1.1_spec  1.1                       java-archive  
CVE-2008-0732        Low       
geronimo-j2ee-deployment_1.1_spec  1.1                       java-archive  
CVE-2011-5034        High      
geronimo-j2ee-management_1.1_spec  1.0.1                     java-archive  
CVE-2008-0732        Low       
geronimo-j2ee-management_1.1_spec  1.0.1                     java-archive  
CVE-2011-5034        High      
geronimo-jacc_1.4_spec             1.0                       java-archive  
CVE-2011-5034        High      
geronimo-jacc_1.4_spec             1.0                       java-archive  
CVE-2008-0732        Low       
geronimo-jacc_1.4_spec             1.0                       java-archive  
CVE-2006-0254        Medium    
geronimo-javamail_1.4_mail         1.9.0-alpha-2             java-archive  
CVE-2008-0732        Low       
geronimo-javamail_1.4_mail         1.9.0-alpha-2             java-archive  
CVE-2011-5034        High      
geronimo-javamail_1.4_provider     1.9.0-alpha-2             java-archive  
CVE-2008-0732        Low       
geronimo-javamail_1.4_provider     1.9.0-alpha-2             java-archive  
CVE-2011-5034        High      
geronimo-javamail_1.4_spec         1.7.2-alpha-1             java-archive  
CVE-2011-5034        High      
geronimo-javamail_1.4_spec         1.7.2-alpha-1             java-archive  
CVE-2008-0732        Low       
geronimo-jaxr_1.0_spec             2.1                       java-archive  
CVE-2007-5085        Medium    
geronimo-jaxr_1.0_spec             2.1                       java-archive  
CVE-2008-5518        High      
geronimo-jaxr_1.0_spec             2.1                       java-archive  
CVE-2009-0039        Medium    
geronimo-jaxr_1.0_spec             2.1                       java-archive  
CVE-2009-0038        Medium    
geronimo-jaxr_1.0_spec             2.1                       java-archive  
CVE-2008-0732        Low       
geronimo-jaxr_1.0_spec             2.1                       java-archive  
CVE-2011-5034        High      
geronimo-jaxr_1.0_spec             2.1                       java-archive  
CVE-2007-5797        High      
geronimo-jaxrpc_1.1_spec           2.1                       java-archive  
CVE-2011-5034        High      
geronimo-jaxrpc_1.1_spec           2.1                       java-archive  
CVE-2008-5518        High      
geronimo-jaxrpc_1.1_spec           2.1                       java-archive  
CVE-2007-5797        High      
geronimo-jaxrpc_1.1_spec           2.1                       java-archive  
CVE-2008-0732        Low       
geronimo-jaxrpc_1.1_spec           2.1                       java-archive  
CVE-2007-5085        Medium    
geronimo-jaxrpc_1.1_spec           2.1                       java-archive  
CVE-2009-0039        Medium    
geronimo-jaxrpc_1.1_spec           2.1                       java-archive  
CVE-2009-0038        Medium    
geronimo-jaxrs_2.0_spec            1.0-alpha-1               java-archive  
CVE-2011-5034        High      
geronimo-jaxrs_2.0_spec            1.0-alpha-1               java-archive  
CVE-2008-0732        Low       
geronimo-jaxws_2.2_spec            1.2                       java-archive  
CVE-2011-5034        High      
geronimo-jaxws_2.2_spec            1.2                       java-archive  
CVE-2008-0732        Low       
geronimo-jbatch_1.0_spec           1.0                       java-archive  
CVE-2006-0254        Medium    
geronimo-jbatch_1.0_spec           1.0                       java-archive  
CVE-2008-0732        Low       
geronimo-jbatch_1.0_spec           1.0                       java-archive  
CVE-2011-5034        High      
geronimo-jcache_1.0_spec           1.0-alpha-1               java-archive  
CVE-2008-0732        Low       
geronimo-jcache_1.0_spec           1.0-alpha-1               java-archive  
CVE-2011-5034        High      
geronimo-jcdi_1.1_spec             1.0                       java-archive  
CVE-2008-0732        Low       
geronimo-jcdi_1.1_spec             1.0                       java-archive  
CVE-2006-0254        Medium    
geronimo-jcdi_1.1_spec             1.0                       java-archive  
CVE-2011-5034        High      
geronimo-jms_2.0_spec              1.0-alpha-2               java-archive  
CVE-2011-5034        High      
geronimo-jms_2.0_spec              1.0-alpha-2               java-archive  
CVE-2008-0732        Low       
geronimo-jpa_2.1_spec              1.0-alpha-1               java-archive  
CVE-2008-0732        Low       
geronimo-jpa_2.1_spec              1.0-alpha-1               java-archive  
CVE-2011-5034        High      
geronimo-json_1.0_spec             1.0-alpha-1               java-archive  
CVE-2011-5034        High      
geronimo-json_1.0_spec             1.0-alpha-1               java-archive  
CVE-2008-0732        Low       
geronimo-jsonb_1.0_spec            1.0                       java-archive  
CVE-2011-5034        High      
geronimo-jsonb_1.0_spec            1.0                       java-archive  
CVE-2008-0732        Low       
geronimo-jsonb_1.0_spec            1.0                       java-archive  
CVE-2006-0254        Medium    
geronimo-jta_1.2_spec              1.0-alpha-1               java-archive  
CVE-2008-0732        Low       
geronimo-jta_1.2_spec              1.0-alpha-1               java-archive  
CVE-2011-5034        High      
geronimo-osgi-locator              1.0                       java-archive  
CVE-2006-0254        Medium    
geronimo-osgi-locator              1.0                       java-archive  
CVE-2008-0732        Low       
geronimo-osgi-locator              1.0                       java-archive  
CVE-2011-5034        High      
geronimo-saaj_1.3_spec             1.1                       java-archive  
CVE-2011-5034        High      
geronimo-saaj_1.3_spec             1.1                       java-archive  
CVE-2008-0732        Low       
geronimo-stax-api_1.2_spec         1.2                       java-archive  
CVE-2011-5034        High      
geronimo-stax-api_1.2_spec         1.2                       java-archive  
CVE-2008-0732        Low       
geronimo-transaction               3.1.4                     java-archive  
CVE-2008-0732        Low       
geronimo-validation_1.1_spec       1.0                       java-archive  
CVE-2008-0732        Low       
geronimo-validation_1.1_spec       1.0                       java-archive  
CVE-2011-5034        High      
geronimo-validation_1.1_spec       1.0                       java-archive  
CVE-2006-0254        Medium    
geronimo-ws-metadata_2.0_spec      1.1.3                     java-archive  
CVE-2008-0732        Low       
geronimo-ws-metadata_2.0_spec      1.1.3                     java-archive  
CVE-2011-5034        High      
jackson-databind                   2.12.0          2.12.6.1  java-archive  
GHSA-57j2-w4cx-62h2  High      
jackson-databind                   2.12.0                    java-archive  
CVE-2020-36518       High      
tomcat-jdbc                        8.5.81                    java-archive  
CVE-2016-6325        High      
tomcat-jdbc                        8.5.81                    java-archive  
CVE-2016-5425        High      
tomcat-jdbc                        8.5.81                    java-archive  
CVE-2022-34305       Medium    
tomcat-jdbc                        8.5.81                    java-archive  
CVE-2020-8022        High      
tomcat-juli                        7.1.5-SNAPSHOT            java-archive  
CVE-2021-40690       High      
tomee-catalina                     7.1.5-SNAPSHOT            java-archive  
CVE-2021-40690       High      
tomee-common                       7.1.5-SNAPSHOT            java-archive  
CVE-2021-40690       High      
tomee-jaxrs                        7.1.5-SNAPSHOT            java-archive  
CVE-2021-40690       High      
tomee-jdbc                         7.1.5-SNAPSHOT            java-archive  
CVE-2021-40690       High      
tomee-juli                         7.1.5-SNAPSHOT            java-archive  
CVE-2021-40690       High      
tomee-loader                       7.1.5-SNAPSHOT            java-archive  
CVE-2021-40690       High      
tomee-mojarra                      7.1.5-SNAPSHOT            java-archive  
CVE-2021-40690       High      
tomee-myfaces                      7.1.5-SNAPSHOT            java-archive  
CVE-2021-40690       High      
tomee-webapp                       7.1.5-SNAPSHOT            java-archive  
CVE-2021-40690       High      
tomee-webservices                  7.1.5-SNAPSHOT            java-archive  
CVE-2021-40690       High      
xmlsec                             2.0.10          2.1.4     java-archive  
GHSA-4q98-wr72-h35w  Medium    
xmlsec                             2.0.10          2.1.7     java-archive  
GHSA-j8wc-gxx9-82hx  High

Reply via email to