Re: Post TomEE 9.0.0 final release

2023-01-11 Thread David Blevins
> On Jan 4, 2023, at 4:00 PM, David Blevins wrote: > > I created JIRAs for all the individual TCKs involved in EE 10. Some of these > are already setup: > > TOMEE-4156 Platform/WebProfile TCK I have this at least minimally setup here: - https://github.com/apache/tomee-tck There’s a `setu

Re: 8.0.14 next week? [Was: Having 8.0.14 before christmas? Opinions?]

2023-01-11 Thread Alex The Rocker
Thanks Richard for this clarification (hope it's available in TomE Security page to avoid people asking the same question) => When can TomEE 8.0.14 vote start ? Alex Le mer. 11 janv. 2023 à 15:11, Richard Zowalla a écrit : > > Hi Alex, > > thanks for the reply. > > There is an issue regarding C

Re: 8.0.14 next week? [Was: Having 8.0.14 before christmas? Opinions?]

2023-01-11 Thread Richard Zowalla
Hi Alex, thanks for the reply. There is an issue regarding CVE-2022-1471 (snakeyaml) [1]. Snakeyaml is a transient dependency of jackson-dataformat-yaml (which is used in OpenAPI). According to the Jackson people [2], they are not affected [2]. Therefore, I don't think, that we are impacted. G

Re: 8.0.14 next week? [Was: Having 8.0.14 before christmas? Opinions?]

2023-01-11 Thread Richard Zowalla
Am Mittwoch, dem 11.01.2023 um 14:32 +0100 schrieb Alex The Rocker: > Hello Richard, > > I give a big +1 for having a 8.0.14 release ASAP. > > I have nothing to ask in into beyond the (many) CVE fixes done so > far, > except maybe if it could be checked if TomEE+ usage of snakeyaml > (which is pa

Re: 8.0.14 next week? [Was: Having 8.0.14 before christmas? Opinions?]

2023-01-11 Thread Alex The Rocker
Hello Richard, I give a big +1 for having a 8.0.14 release ASAP. I have nothing to ask in into beyond the (many) CVE fixes done so far, except maybe if it could be checked if TomEE+ usage of snakeyaml (which is part of TomEE+ libraries) systematically relies on SnakeYaml's SafeConstructor, so as

Re: 8.0.14 next week? [Was: Having 8.0.14 before christmas? Opinions?]

2023-01-11 Thread Jean-Louis Monteiro
Thanks. Nothing on my radar Le mer. 11 janv. 2023, 08:13, Richard Zowalla a écrit : > Hi all, > > I would like to bring up 8.0.14 for a VOTE next week. > > Is there anything (dep updates, etc.) we need to include before > proceding with the preparations? > > Current changes: > https://issues.apa

8.0.14 next week? [Was: Having 8.0.14 before christmas? Opinions?]

2023-01-11 Thread Richard Zowalla
Hi all, I would like to bring up 8.0.14 for a VOTE next week. Is there anything (dep updates, etc.) we need to include before proceding with the preparations? Current changes: https://issues.apache.org/jira/projects/TOMEE/versions/12352390 CXF 3.4.10 will be the last release of the 3.4.x serie