[DISCUSS] TomEE 8.0.13 - How do we want to deal with pending CVEs / patch versions?

Hi all, I think, that we are soon in a good state to do a 8.0.13. However, there are some open points for which I want to get the community's opinion. # (1): CVE-2022-42003 (jackson-databind) Were is one CVE related to jackson-databind: https://nvd.nist.gov/vuln/detail/CVE-2022-42003 (before 2

Re: [DISCUSS] TomEE 8.0.13 - How do we want to deal with pending CVEs / patch versions?

TomEE 8.0.12 is already affected by these 2 CVE, right? i am unsure in terms of corporate image. no-shipping and waiting seems a bit hard on clients who would need to have tech-watch and/or security teams to update the jars by themselves in production. it would be great to provide counter mesures

Re: [DISCUSS] TomEE 8.0.13 - How do we want to deal with pending CVEs / patch versions?

> TomEE 8.0.12 is already affected by these 2 CVE, right? Yes (+ some others as discussed in the 'Cut a 8.0.13' thread). Gruß Richard Am Sonntag, dem 09.10.2022 um 10:59 +0200 schrieb Swell: > TomEE 8.0.12 is already affected by these 2 CVE, right? > > i am unsure in terms of corporate image. >

Re: [DISCUSS] TomEE 8.0.13 - How do we want to deal with pending CVEs / patch versions?

Hello, Regarding # (1): CVE-2022-42003 (jackson-databind), given that the only reason for having Jackson in TomEE is because of embedded TomEE; so the discussion here https://lists.apache.org/thread/ttmdc4l9z9oz9lqw3cd22sjdz451dh25 to replace Jackson by the Apache Johnzon (which is already part of

Re: [DISCUSS] TomEE 8.0.13 - How do we want to deal with pending CVEs / patch versions?

Hi all, I agree with Alex’s comments on Richard’s proposed options for the next TomEE 8.x release. We should move on and ship 8.0.13 soon. Best Martin — https://twitter.com/mawiesne > Am 09.10.2022 um 13:11 schrieb Alex The Rocker : > > Hello, > > Regarding #

Re: [DISCUSS] TomEE 8.0.13 - How do we want to deal with pending CVEs / patch versions?

I'm not much focused on 8.x at the moment. Shipping with a Jackson RC is fine in my opinion. And yes it's ridiculous to have 2 JSON-B/P implementations. The thing is that OpenAPI has a hard dependency on Jackson as opposed to be using standard APIs where you can use any implementation. -- Jean-

Re: [DISCUSS] TomEE 8.0.13 - How do we want to deal with pending CVEs / patch versions?

Hi all, thanks for your opinions. Regarding (1): Updated to the RC version. Regarding (2): Added the workaround for hsqldb 2.7.0 - we can remove it after 2.7.1 is available. I am currently working on cleaning up the CXF shading for 8.0.13. This will give us the fixes in those classes, which we

Re: [DISCUSS] TomEE 8.0.13 - How do we want to deal with pending CVEs / patch versions?

> Not only it is ridiculous to have two JSON processing stacks cohexisting in TomEE, but also, looking at https://mvnrepository.com/artifact/org.apache.johnzon/johnzon-core, there was no CVE on Johnzon for the part 5 years ; versus a huge number of CVE on Jackson for the same period: https://mvnre