Apache TomEE 8.0.13 Release Notes
Apache TomEE 8.0.13 has been released. It is a maintenance release with some bug fixes and dependencies upgrades.
Thank you to everyone who contributed to this release, including all of our users and the people who submitted bug reports, contributed code or documentation enhancements.
Dependency upgrade
-
TOMEE-3985 BatchEE 1.0.2
-
TOMEE-4057 CXF 3.4.8
-
TOMEE-3800 DBCP 2.9.0
-
TOMEE-4059 EclipseLink 2.7.11
-
TOMEE-4063 Geronimo Transaction Manager 3.1.5
-
TOMEE-4019 HSQLDB 2.7.0
-
TOMEE-3986 Hibernate Integration 5.6.9.Final
-
TOMEE-4042 Jackson 2.13.4
-
TOMEE-4067 Jackson 2.14.0-rc1
-
TOMEE-4020 Jakarta Faces 2.3.18
-
TOMEE-4026 Johnzon 1.2.19
-
TOMEE-4030 Log4J2 2.18.0
-
TOMEE-3998 MyFaces 2.3.10
-
TOMEE-4044 Snakeyaml 1.32
-
TOMEE-4054 Snakeyaml 1.33
-
TOMEE-4002 Tomcat 9.0.64
-
TOMEE-4051 Tomcat 9.0.65
-
TOMEE-4060 Tomcat 9.0.67
-
TOMEE-4087 Tomcat 9.0.68
-
TOMEE-4018 bcprov-jdk15on 1.70
-
TOMEE-4085 commons-cli 1.5.0
New Feature
-
TOMEE-3928 Example for properties provider
Bug
-
TOMEE-4021 Unexpected ehcache 3.8.1 in tomee/lib
-
TOMEE-3850 HTTP(S) connections are not reused
-
TOMEE-4014 Unable to see TomEE version in Tomcat home page with Java 17
-
TOMEE-3979 service.bat issue when using JRE_HOME on Windows
-
TOMEE-4041 4 CVE Vulnerabilities in snakeyaml-1.30.jarĀ
-
TOMEE-4001 CVE-2022-34305 displaying user provided data without filtering, exposing a XSS vulnerability
Improvement
-
TOMEE-3878 Backport 'No interface view EJB proxies broken on JDK16+' [TOMEE-3877] to TomEE 8.x
Task
-
TOMEE-4064 OpenJPA 3.2.2 (examples), EclipseLink 2.7.11 (examples), Derby 10.14.2.0
-
TOMEE-4022 Move to Apache Rat
-
TOMEE-4056 Log4J2 2.19.0
-
TOMEE-4058 Update Krazo, DeltaSpike and Hibernate
-
TOMEE-3914 Spring 3 Dependencies in TomEE Root POM
-
TOMEE-4088 Add workaround for CVE-2022-41853 (hsqldb)
Documentation
-
TOMEE-4023 Comparison pages with wrong specs per profiles
-
TOMEE-3981 update javadoc to reflect updates on Jakarta EE
Fixed Common Vulnerabilities and Exposures (CVEs)
-
TOMEE-4041 4 CVE Vulnerabilities in snakeyaml-1.30.jar
-
TOMEE-4001 CVE-2022-34305 displaying user provided data without filtering, exposing a XSS vulnerability
-
TOMEE-4088 Add workaround for CVE-2022-41853 (hsqldb)
Additional Information
Please note:
(1) CVE-2022-42003 (jackson-databind): Users are only affected, if UNWRAP_SINGLE_VALUE_ARRAYS is enabled. Mitigation is included in 2.14.0-rc1. As per list discussion we are fine shipping an RC version.
|
| (2) CVE-2022-41853 (hsqldb): As v2.7.1 wasn’t available at voting time, TomEE sets "hsqldb.method_class_names" to an invalid value to mitigate the vulnerability. Users can override the property as needed. |