[GitHub] [tomee] rzo1 commented on pull request #1033: Patch Tomcat 10.0.27 with fixes for CVE-2023-24998 & CVE-2023-28708

rzo1 commented on PR #1033: URL: https://github.com/apache/tomee/pull/1033#issuecomment-1514061904 Build is OK: https://ci-builds.apache.org/job/Tomee/job/pull-request-9.x-manual/4/ -- This is an automated message from the Apache Git Service. To respond to the message, please log on to Gi

[GitHub] [openejb] dependabot[bot] closed pull request #57: Bump jetty-server from 8.0.3.v20111011 to 9.4.41.v20210516 in /sandbox/jettyfun

dependabot[bot] closed pull request #57: Bump jetty-server from 8.0.3.v20111011 to 9.4.41.v20210516 in /sandbox/jettyfun URL: https://github.com/apache/openejb/pull/57 -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the U

[GitHub] [openejb] dependabot[bot] opened a new pull request, #76: Bump jetty-server from 8.0.3.v20111011 to 10.0.14 in /sandbox/jettyfun

dependabot[bot] opened a new pull request, #76: URL: https://github.com/apache/openejb/pull/76 Bumps [jetty-server](https://github.com/eclipse/jetty.project) from 8.0.3.v20111011 to 10.0.14. Release notes Sourced from https://github.com/eclipse/jetty.project/releases";>jetty-server

[GitHub] [openejb] dependabot[bot] commented on pull request #57: Bump jetty-server from 8.0.3.v20111011 to 9.4.41.v20210516 in /sandbox/jettyfun

dependabot[bot] commented on PR #57: URL: https://github.com/apache/openejb/pull/57#issuecomment-1513865650 Superseded by #76. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment

[GitHub] [openejb] dependabot[bot] closed pull request #56: Bump jetty-server from 7.5.3.v20111011 to 9.4.41.v20210516 in /openejb

dependabot[bot] closed pull request #56: Bump jetty-server from 7.5.3.v20111011 to 9.4.41.v20210516 in /openejb URL: https://github.com/apache/openejb/pull/56 -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above

[GitHub] [openejb] dependabot[bot] commented on pull request #56: Bump jetty-server from 7.5.3.v20111011 to 9.4.41.v20210516 in /openejb

dependabot[bot] commented on PR #56: URL: https://github.com/apache/openejb/pull/56#issuecomment-1513863664 Superseded by #75. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment

[GitHub] [openejb] dependabot[bot] opened a new pull request, #75: Bump jetty-server from 7.5.3.v20111011 to 10.0.14 in /openejb

dependabot[bot] opened a new pull request, #75: URL: https://github.com/apache/openejb/pull/75 Bumps [jetty-server](https://github.com/eclipse/jetty.project) from 7.5.3.v20111011 to 10.0.14. Release notes Sourced from https://github.com/eclipse/jetty.project/releases";>jetty-server

Re: Backporting changes between 8.x, 9.x and 10.x

Yes, This will greatly help people with decision to move forward with upgrade to a specific version. I would be happy to collaborate with team but I’m very much new to this process / doesn’t have clear steps on supporting such projects. Thank you! Nikhil Somasani On Fri, 17 Mar 2023 at 12:52 AM,

[GitHub] [tomee] rzo1 opened a new pull request, #1033: Patch Tomcat 10.0.27 with fixes for CVE-2023-24998 & CVE-2023-28708

rzo1 opened a new pull request, #1033: URL: https://github.com/apache/tomee/pull/1033 This PR 1. patches Tomcat 10.0.27 for CVE-2023-28708 by applying the changeset from https://github.com/apache/tomcat/commit/f509bbf31fc00abe3d9f25ebfabca5e05173da5b 2. patches Tomcat 1

Re: Release TomEE 9.1.0

Thanks Swell for providing more information on the consequences/side effects. This helps. I'd say it depends how fast we can get a 10.0 -- Jean-Louis Monteiro http://twitter.com/jlouismonteiro http://www.tomitribe.com On Tue, Apr 18, 2023 at 11:38 AM Swell wrote: > Fixing cve should have prio

Re: Release TomEE 9.1.0

Backporting the change and patching within TomEE shouldn't be a big deal (as we already patch Tomcat within TomEE) :) Am Dienstag, dem 18.04.2023 um 11:37 +0200 schrieb Swell: > Fixing cve should have priority over tck results, right ? That said > do we > want to maintain efforts on 9.1 or focus o

Re: Release TomEE 9.1.0

Fixing cve should have priority over tck results, right ? That said do we want to maintain efforts on 9.1 or focus our resources and time on 10.0 ? On the other hand, If we upgrade TomEE 9 with tomcat 10.1 we loose a status method of servlet api used by EE9 versions of resteasy/jersey/etc. Resulti

Re: Release TomEE 9.1.0

It's not only TCK it's breaking backward compatibility and potentially impacting users because we'll change APIs signature and of course implementation in Tomcat. EL 3, Servlet 6 and TagLib 3 have breaking changes and methods/classes removed. -- Jean-Louis Monteiro http://twitter.com/jlouismont

Re: Release TomEE 9.1.0

Hi, I am +1 for it, but we need to decide, if we want to port the commons fileupload cve to tomcat 10.0.27 or if we upgrade tp 10.1.x (and loose EE9.1 tck compliance). Gruß Richard Am Dienstag, dem 18.04.2023 um 10:01 +0200 schrieb Jean-Louis Monteiro: > Hi all, > > Looks like our backlog is s

Release TomEE 9.1.0

Hi all, Looks like our backlog is starting to grow. We've done quite a lot of updates and I was wondering if we should do a release for 9.1.0? Note that there is an issue to fix before with the API Uber jar where the tomcat classifier has the same content as the non tomcat classifier. This was me