TomEE 8.0.5 tomcat/quartz-openejb-shade dependency versions

classic Classic list List threaded Threaded
7 messages Options
Reply | Threaded
Open this post in threaded view
|

TomEE 8.0.5 tomcat/quartz-openejb-shade dependency versions

Bruce Heavey
Hi,



We've recently upgraded from TomEE 1.7.5 up to TomEE 8.0.5 which has been a pretty smooth transition for us, but and I'm a bit puzzled by 2 things:


1.       The list of changes in 8.0.5 (https://github.com/apache/tomee/compare/tomee-8.0.5...master) indicates the version of Tomcat has bumped up to 9.0.40, but when my TomEE 8.0.5 starts up it looks like it's still using 9.0.39: "Server version name:   Apache Tomcat (TomEE)/9.0.39 (8.0.5)".

2.       Really happy to see CVE-2019-13990  addressed in TOMEE-2672 (https://issues.apache.org/jira/browse/TOMEE-2672). But TomEE 8.0.5 still seems to be shipping the old jar file not the new one with the fix in it. https://github.com/apache/tomee/blob/master/pom.xml should the version of quartz-openejb-shade have been bumped up to 2.2.4 when TOMEE-2672 was fixed? In our local build we're currently replacing the old jar file with the new jar file to address the issue.



Thanks in advance,

Bruce
Reply | Threaded
Open this post in threaded view
|

Re: TomEE 8.0.5 tomcat/quartz-openejb-shade dependency versions

Jean-Louis MONTEIRO
Hi Bruce,

Glad the upgrade went well.

1/ I checked the pom file of the 8.0.5
https://github.com/apache/tomee/blob/tomee-8.0.5/pom.xml#L148
Tomcat seems to be 9.0.39 in there so what you see in the logs is fine.

It probably got added after the release.
https://github.com/apache/tomee/commit/eb2928435685d3e5fb184d0aa945efbfe06f26a4

The day after the release actually.

2/ You are correct I think.
We should upgrade to 2.2.4

Would you like to create the ticket and the PR?
It's fairly simple and would be awesome to have you fix it.

If not, lemme know and I can do it.

--
Jean-Louis Monteiro
http://twitter.com/jlouismonteiro
http://www.tomitribe.com


On Fri, Dec 18, 2020 at 6:17 AM Bruce Heavey <[hidden email]> wrote:

> Hi,
>
>
>
> We've recently upgraded from TomEE 1.7.5 up to TomEE 8.0.5 which has been
> a pretty smooth transition for us, but and I'm a bit puzzled by 2 things:
>
>
> 1.       The list of changes in 8.0.5 (
> https://github.com/apache/tomee/compare/tomee-8.0.5...master) indicates
> the version of Tomcat has bumped up to 9.0.40, but when my TomEE 8.0.5
> starts up it looks like it's still using 9.0.39: "Server version name:
>  Apache Tomcat (TomEE)/9.0.39 (8.0.5)".
>
> 2.       Really happy to see CVE-2019-13990  addressed in TOMEE-2672 (
> https://issues.apache.org/jira/browse/TOMEE-2672). But TomEE 8.0.5 still
> seems to be shipping the old jar file not the new one with the fix in it.
> https://github.com/apache/tomee/blob/master/pom.xml should the version of
> quartz-openejb-shade have been bumped up to 2.2.4 when TOMEE-2672 was
> fixed? In our local build we're currently replacing the old jar file with
> the new jar file to address the issue.
>
>
>
> Thanks in advance,
>
> Bruce
>
   --
    Jean-Louis Monteiro
    http://twitter.com/jlouismonteiro
    http://www.tomitribe.com
Reply | Threaded
Open this post in threaded view
|

RE: TomEE 8.0.5 tomcat/quartz-openejb-shade dependency versions

Bruce Heavey
I don’t really feel comfortable making contributions yet sorry - better to leave that to the experts!

But I’m happy to raise the JIRA ticket, I've created TOMEE 2947 for this, cheers!
https://issues.apache.org/jira/browse/TOMEE-2947


-----Original Message-----
From: Jean-Louis Monteiro <[hidden email]>
Sent: Friday, 18 December 2020 6:11 PM
To: [hidden email]
Subject: Re: TomEE 8.0.5 tomcat/quartz-openejb-shade dependency versions

Hi Bruce,

Glad the upgrade went well.

1/ I checked the pom file of the 8.0.5
https://github.com/apache/tomee/blob/tomee-8.0.5/pom.xml#L148
Tomcat seems to be 9.0.39 in there so what you see in the logs is fine.

It probably got added after the release.
https://github.com/apache/tomee/commit/eb2928435685d3e5fb184d0aa945efbfe06f26a4

The day after the release actually.

2/ You are correct I think.
We should upgrade to 2.2.4

Would you like to create the ticket and the PR?
It's fairly simple and would be awesome to have you fix it.

If not, lemme know and I can do it.

--
Jean-Louis Monteiro
http://twitter.com/jlouismonteiro
http://www.tomitribe.com


On Fri, Dec 18, 2020 at 6:17 AM Bruce Heavey <[hidden email]> wrote:

> Hi,
>
>
>
> We've recently upgraded from TomEE 1.7.5 up to TomEE 8.0.5 which has
> been a pretty smooth transition for us, but and I'm a bit puzzled by 2 things:
>
>
> 1.       The list of changes in 8.0.5 (
> https://github.com/apache/tomee/compare/tomee-8.0.5...master)
> indicates the version of Tomcat has bumped up to 9.0.40, but when my
> TomEE 8.0.5 starts up it looks like it's still using 9.0.39: "Server version name:
>  Apache Tomcat (TomEE)/9.0.39 (8.0.5)".
>
> 2.       Really happy to see CVE-2019-13990  addressed in TOMEE-2672 (
> https://issues.apache.org/jira/browse/TOMEE-2672). But TomEE 8.0.5
> still seems to be shipping the old jar file not the new one with the fix in it.
> https://github.com/apache/tomee/blob/master/pom.xml should the version
> of quartz-openejb-shade have been bumped up to 2.2.4 when TOMEE-2672
> was fixed? In our local build we're currently replacing the old jar
> file with the new jar file to address the issue.
>
>
>
> Thanks in advance,
>
> Bruce
>
Reply | Threaded
Open this post in threaded view
|

Re: TomEE 8.0.5 tomcat/quartz-openejb-shade dependency versions

Zowalla, Richard
I created a related PR https://github.com/apache/tomee/pull/742

Gruss
Richard

Am Montag, den 21.12.2020, 00:18 +0000 schrieb Bruce Heavey:

> I don’t really feel comfortable making contributions yet sorry -
> better to leave that to the experts!
>
> But I’m happy to raise the JIRA ticket, I've created TOMEE 2947 for
> this, cheers!
> https://issues.apache.org/jira/browse/TOMEE-2947
>
>
> -----Original Message-----
> From: Jean-Louis Monteiro <[hidden email]>
> Sent: Friday, 18 December 2020 6:11 PM
> To: [hidden email]
> Subject: Re: TomEE 8.0.5 tomcat/quartz-openejb-shade dependency
> versions
>
> Hi Bruce,
>
> Glad the upgrade went well.
>
> 1/ I checked the pom file of the 8.0.5
> https://github.com/apache/tomee/blob/tomee-8.0.5/pom.xml#L148
> Tomcat seems to be 9.0.39 in there so what you see in the logs is
> fine.
>
> It probably got added after the release.
> https://github.com/apache/tomee/commit/eb2928435685d3e5fb184d0aa945efbfe06f26a4
>
> The day after the release actually.
>
> 2/ You are correct I think.
> We should upgrade to 2.2.4
>
> Would you like to create the ticket and the PR?
> It's fairly simple and would be awesome to have you fix it.
>
> If not, lemme know and I can do it.
>
> --
> Jean-Louis Monteiro
> http://twitter.com/jlouismonteiro
> http://www.tomitribe.com
>
>
> On Fri, Dec 18, 2020 at 6:17 AM Bruce Heavey <[hidden email]>
> wrote:
>
> > Hi,
> >
> >
> >
> > We've recently upgraded from TomEE 1.7.5 up to TomEE 8.0.5 which
> > has
> > been a pretty smooth transition for us, but and I'm a bit puzzled
> > by 2 things:
> >
> >
> > 1.       The list of changes in 8.0.5 (
> > https://github.com/apache/tomee/compare/tomee-8.0.5...master)
> > indicates the version of Tomcat has bumped up to 9.0.40, but when
> > my
> > TomEE 8.0.5 starts up it looks like it's still using 9.0.39:
> > "Server version name:
> >  Apache Tomcat (TomEE)/9.0.39 (8.0.5)".
> >
> > 2.       Really happy to see CVE-2019-13990  addressed in TOMEE-
> > 2672 (
> > https://issues.apache.org/jira/browse/TOMEE-2672). But TomEE 8.0.5
> > still seems to be shipping the old jar file not the new one with
> > the fix in it.
> > https://github.com/apache/tomee/blob/master/pom.xml should the
> > version
> > of quartz-openejb-shade have been bumped up to 2.2.4 when TOMEE-
> > 2672
> > was fixed? In our local build we're currently replacing the old
> > jar
> > file with the new jar file to address the issue.
> >
> >
> >
> > Thanks in advance,
> >
> > Bruce
> >
--
Richard Zowalla, M.Sc.
Research Associate, PhD Student | Medical Informatics

Hochschule Heilbronn – University of Applied Sciences
Max-Planck-Str. 39
D-74081 Heilbronn
phone: +49 7131 504 6791
mail: [hidden email]
web: https://www.mi.hs-heilbronn.de/ 

smime.p7s (9K) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: TomEE 8.0.5 tomcat/quartz-openejb-shade dependency versions

Jean-Louis MONTEIRO
Thanks Richard,

I first merged the PR, but had to revert the version because of some
compilation issues. I don't think it's hard to fix, but I'll have to look
later
--
Jean-Louis Monteiro
http://twitter.com/jlouismonteiro
http://www.tomitribe.com


On Mon, Dec 21, 2020 at 8:39 AM Zowalla, Richard <
[hidden email]> wrote:

> I created a related PR https://github.com/apache/tomee/pull/742
>
> Gruss
> Richard
>
> Am Montag, den 21.12.2020, 00:18 +0000 schrieb Bruce Heavey:
> > I don’t really feel comfortable making contributions yet sorry -
> > better to leave that to the experts!
> >
> > But I’m happy to raise the JIRA ticket, I've created TOMEE 2947 for
> > this, cheers!
> > https://issues.apache.org/jira/browse/TOMEE-2947
> >
> >
> > -----Original Message-----
> > From: Jean-Louis Monteiro <[hidden email]>
> > Sent: Friday, 18 December 2020 6:11 PM
> > To: [hidden email]
> > Subject: Re: TomEE 8.0.5 tomcat/quartz-openejb-shade dependency
> > versions
> >
> > Hi Bruce,
> >
> > Glad the upgrade went well.
> >
> > 1/ I checked the pom file of the 8.0.5
> > https://github.com/apache/tomee/blob/tomee-8.0.5/pom.xml#L148
> > Tomcat seems to be 9.0.39 in there so what you see in the logs is
> > fine.
> >
> > It probably got added after the release.
> >
> https://github.com/apache/tomee/commit/eb2928435685d3e5fb184d0aa945efbfe06f26a4
> >
> > The day after the release actually.
> >
> > 2/ You are correct I think.
> > We should upgrade to 2.2.4
> >
> > Would you like to create the ticket and the PR?
> > It's fairly simple and would be awesome to have you fix it.
> >
> > If not, lemme know and I can do it.
> >
> > --
> > Jean-Louis Monteiro
> > http://twitter.com/jlouismonteiro
> > http://www.tomitribe.com
> >
> >
> > On Fri, Dec 18, 2020 at 6:17 AM Bruce Heavey <[hidden email]>
> > wrote:
> >
> > > Hi,
> > >
> > >
> > >
> > > We've recently upgraded from TomEE 1.7.5 up to TomEE 8.0.5 which
> > > has
> > > been a pretty smooth transition for us, but and I'm a bit puzzled
> > > by 2 things:
> > >
> > >
> > > 1.       The list of changes in 8.0.5 (
> > > https://github.com/apache/tomee/compare/tomee-8.0.5...master)
> > > indicates the version of Tomcat has bumped up to 9.0.40, but when
> > > my
> > > TomEE 8.0.5 starts up it looks like it's still using 9.0.39:
> > > "Server version name:
> > >  Apache Tomcat (TomEE)/9.0.39 (8.0.5)".
> > >
> > > 2.       Really happy to see CVE-2019-13990  addressed in TOMEE-
> > > 2672 (
> > > https://issues.apache.org/jira/browse/TOMEE-2672). But TomEE 8.0.5
> > > still seems to be shipping the old jar file not the new one with
> > > the fix in it.
> > > https://github.com/apache/tomee/blob/master/pom.xml should the
> > > version
> > > of quartz-openejb-shade have been bumped up to 2.2.4 when TOMEE-
> > > 2672
> > > was fixed? In our local build we're currently replacing the old
> > > jar
> > > file with the new jar file to address the issue.
> > >
> > >
> > >
> > > Thanks in advance,
> > >
> > > Bruce
> > >
> --
> Richard Zowalla, M.Sc.
> Research Associate, PhD Student | Medical Informatics
>
> Hochschule Heilbronn – University of Applied Sciences
> Max-Planck-Str. 39
> D-74081 Heilbronn
> phone: +49 7131 504 6791
> mail: [hidden email]
> web: https://www.mi.hs-heilbronn.de/
>
   --
    Jean-Louis Monteiro
    http://twitter.com/jlouismonteiro
    http://www.tomitribe.com
Reply | Threaded
Open this post in threaded view
|

Re: TomEE 8.0.5 tomcat/quartz-openejb-shade dependency versions

Zowalla, Richard
Hi,

thanks for the update. Just got the push notification from GitHub.

I have fixed the compile issues (sorry!) related to Quartz and opened a
new PR: https://github.com/apache/tomee/pull/743. This is now inline
with the update conducted for 7.1.x and 7.0.x.

Gruss
Richard

Am Mittwoch, den 23.12.2020, 13:26 +0100 schrieb Jean-Louis Monteiro:

> Thanks Richard,
>
> I first merged the PR, but had to revert the version because of some
> compilation issues. I don't think it's hard to fix, but I'll have to
> look
> later
> --
> Jean-Louis Monteiro
> http://twitter.com/jlouismonteiro
> http://www.tomitribe.com
>
>
> On Mon, Dec 21, 2020 at 8:39 AM Zowalla, Richard <
> [hidden email]> wrote:
>
> > I created a related PR https://github.com/apache/tomee/pull/742
> >
> > Gruss
> > Richard
> >
> > Am Montag, den 21.12.2020, 00:18 +0000 schrieb Bruce Heavey:
> > > I don’t really feel comfortable making contributions yet sorry -
> > > better to leave that to the experts!
> > >
> > > But I’m happy to raise the JIRA ticket, I've created TOMEE 2947
> > > for
> > > this, cheers!
> > > https://issues.apache.org/jira/browse/TOMEE-2947
> > >
> > >
> > > -----Original Message-----
> > > From: Jean-Louis Monteiro <[hidden email]>
> > > Sent: Friday, 18 December 2020 6:11 PM
> > > To: [hidden email]
> > > Subject: Re: TomEE 8.0.5 tomcat/quartz-openejb-shade dependency
> > > versions
> > >
> > > Hi Bruce,
> > >
> > > Glad the upgrade went well.
> > >
> > > 1/ I checked the pom file of the 8.0.5
> > > https://github.com/apache/tomee/blob/tomee-8.0.5/pom.xml#L148
> > > Tomcat seems to be 9.0.39 in there so what you see in the logs is
> > > fine.
> > >
> > > It probably got added after the release.
> > >
> > https://github.com/apache/tomee/commit/eb2928435685d3e5fb184d0aa945efbfe06f26a4
> > > The day after the release actually.
> > >
> > > 2/ You are correct I think.
> > > We should upgrade to 2.2.4
> > >
> > > Would you like to create the ticket and the PR?
> > > It's fairly simple and would be awesome to have you fix it.
> > >
> > > If not, lemme know and I can do it.
> > >
> > > --
> > > Jean-Louis Monteiro
> > > http://twitter.com/jlouismonteiro
> > > http://www.tomitribe.com
> > >
> > >
> > > On Fri, Dec 18, 2020 at 6:17 AM Bruce Heavey <[hidden email]>
> > > wrote:
> > >
> > > > Hi,
> > > >
> > > >
> > > >
> > > > We've recently upgraded from TomEE 1.7.5 up to TomEE 8.0.5
> > > > which
> > > > has
> > > > been a pretty smooth transition for us, but and I'm a bit
> > > > puzzled
> > > > by 2 things:
> > > >
> > > >
> > > > 1.       The list of changes in 8.0.5 (
> > > > https://github.com/apache/tomee/compare/tomee-8.0.5...master)
> > > > indicates the version of Tomcat has bumped up to 9.0.40, but
> > > > when
> > > > my
> > > > TomEE 8.0.5 starts up it looks like it's still using 9.0.39:
> > > > "Server version name:
> > > >  Apache Tomcat (TomEE)/9.0.39 (8.0.5)".
> > > >
> > > > 2.       Really happy to see CVE-2019-13990  addressed in
> > > > TOMEE-
> > > > 2672 (
> > > > https://issues.apache.org/jira/browse/TOMEE-2672). But TomEE
> > > > 8.0.5
> > > > still seems to be shipping the old jar file not the new one
> > > > with
> > > > the fix in it.
> > > > https://github.com/apache/tomee/blob/master/pom.xml should the
> > > > version
> > > > of quartz-openejb-shade have been bumped up to 2.2.4 when
> > > > TOMEE-
> > > > 2672
> > > > was fixed? In our local build we're currently replacing the old
> > > > jar
> > > > file with the new jar file to address the issue.
> > > >
> > > >
> > > >
> > > > Thanks in advance,
> > > >
> > > > Bruce
> > > >
> > --
> > Richard Zowalla, M.Sc.
> > Research Associate, PhD Student | Medical Informatics
> >
> > Hochschule Heilbronn – University of Applied Sciences
> > Max-Planck-Str. 39
> > D-74081 Heilbronn
> > phone: +49 7131 504 6791
> > mail: [hidden email]
> > web: https://www.mi.hs-heilbronn.de/
> >
--
Richard Zowalla, M.Sc.
Research Associate, PhD Student | Medical Informatics

Hochschule Heilbronn – University of Applied Sciences
Max-Planck-Str. 39
D-74081 Heilbronn
phone: +49 7131 504 6791
mail: [hidden email]
web: https://www.mi.hs-heilbronn.de/ 

smime.p7s (9K) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: TomEE 8.0.5 tomcat/quartz-openejb-shade dependency versions

Jean-Louis MONTEIRO
Hey Richard,

It was quick.
Thanks, reviewed and merged.

Build should start soon.
https://ci-builds.apache.org/job/Tomee/

When it's deployed, I'll fire up a new TCK build to see if it does not
break any tests.
--
Jean-Louis Monteiro
http://twitter.com/jlouismonteiro
http://www.tomitribe.com


On Wed, Dec 23, 2020 at 1:28 PM Zowalla, Richard <
[hidden email]> wrote:

> Hi,
>
> thanks for the update. Just got the push notification from GitHub.
>
> I have fixed the compile issues (sorry!) related to Quartz and opened a
> new PR: https://github.com/apache/tomee/pull/743. This is now inline
> with the update conducted for 7.1.x and 7.0.x.
>
> Gruss
> Richard
>
> Am Mittwoch, den 23.12.2020, 13:26 +0100 schrieb Jean-Louis Monteiro:
> > Thanks Richard,
> >
> > I first merged the PR, but had to revert the version because of some
> > compilation issues. I don't think it's hard to fix, but I'll have to
> > look
> > later
> > --
> > Jean-Louis Monteiro
> > http://twitter.com/jlouismonteiro
> > http://www.tomitribe.com
> >
> >
> > On Mon, Dec 21, 2020 at 8:39 AM Zowalla, Richard <
> > [hidden email]> wrote:
> >
> > > I created a related PR https://github.com/apache/tomee/pull/742
> > >
> > > Gruss
> > > Richard
> > >
> > > Am Montag, den 21.12.2020, 00:18 +0000 schrieb Bruce Heavey:
> > > > I don’t really feel comfortable making contributions yet sorry -
> > > > better to leave that to the experts!
> > > >
> > > > But I’m happy to raise the JIRA ticket, I've created TOMEE 2947
> > > > for
> > > > this, cheers!
> > > > https://issues.apache.org/jira/browse/TOMEE-2947
> > > >
> > > >
> > > > -----Original Message-----
> > > > From: Jean-Louis Monteiro <[hidden email]>
> > > > Sent: Friday, 18 December 2020 6:11 PM
> > > > To: [hidden email]
> > > > Subject: Re: TomEE 8.0.5 tomcat/quartz-openejb-shade dependency
> > > > versions
> > > >
> > > > Hi Bruce,
> > > >
> > > > Glad the upgrade went well.
> > > >
> > > > 1/ I checked the pom file of the 8.0.5
> > > > https://github.com/apache/tomee/blob/tomee-8.0.5/pom.xml#L148
> > > > Tomcat seems to be 9.0.39 in there so what you see in the logs is
> > > > fine.
> > > >
> > > > It probably got added after the release.
> > > >
> > >
> https://github.com/apache/tomee/commit/eb2928435685d3e5fb184d0aa945efbfe06f26a4
> > > > The day after the release actually.
> > > >
> > > > 2/ You are correct I think.
> > > > We should upgrade to 2.2.4
> > > >
> > > > Would you like to create the ticket and the PR?
> > > > It's fairly simple and would be awesome to have you fix it.
> > > >
> > > > If not, lemme know and I can do it.
> > > >
> > > > --
> > > > Jean-Louis Monteiro
> > > > http://twitter.com/jlouismonteiro
> > > > http://www.tomitribe.com
> > > >
> > > >
> > > > On Fri, Dec 18, 2020 at 6:17 AM Bruce Heavey <[hidden email]>
> > > > wrote:
> > > >
> > > > > Hi,
> > > > >
> > > > >
> > > > >
> > > > > We've recently upgraded from TomEE 1.7.5 up to TomEE 8.0.5
> > > > > which
> > > > > has
> > > > > been a pretty smooth transition for us, but and I'm a bit
> > > > > puzzled
> > > > > by 2 things:
> > > > >
> > > > >
> > > > > 1.       The list of changes in 8.0.5 (
> > > > > https://github.com/apache/tomee/compare/tomee-8.0.5...master)
> > > > > indicates the version of Tomcat has bumped up to 9.0.40, but
> > > > > when
> > > > > my
> > > > > TomEE 8.0.5 starts up it looks like it's still using 9.0.39:
> > > > > "Server version name:
> > > > >  Apache Tomcat (TomEE)/9.0.39 (8.0.5)".
> > > > >
> > > > > 2.       Really happy to see CVE-2019-13990  addressed in
> > > > > TOMEE-
> > > > > 2672 (
> > > > > https://issues.apache.org/jira/browse/TOMEE-2672). But TomEE
> > > > > 8.0.5
> > > > > still seems to be shipping the old jar file not the new one
> > > > > with
> > > > > the fix in it.
> > > > > https://github.com/apache/tomee/blob/master/pom.xml should the
> > > > > version
> > > > > of quartz-openejb-shade have been bumped up to 2.2.4 when
> > > > > TOMEE-
> > > > > 2672
> > > > > was fixed? In our local build we're currently replacing the old
> > > > > jar
> > > > > file with the new jar file to address the issue.
> > > > >
> > > > >
> > > > >
> > > > > Thanks in advance,
> > > > >
> > > > > Bruce
> > > > >
> > > --
> > > Richard Zowalla, M.Sc.
> > > Research Associate, PhD Student | Medical Informatics
> > >
> > > Hochschule Heilbronn – University of Applied Sciences
> > > Max-Planck-Str. 39
> > > D-74081 Heilbronn
> > > phone: +49 7131 504 6791
> > > mail: [hidden email]
> > > web: https://www.mi.hs-heilbronn.de/
> > >
> --
> Richard Zowalla, M.Sc.
> Research Associate, PhD Student | Medical Informatics
>
> Hochschule Heilbronn – University of Applied Sciences
> Max-Planck-Str. 39
> D-74081 Heilbronn
> phone: +49 7131 504 6791
> mail: [hidden email]
> web: https://www.mi.hs-heilbronn.de/
>
   --
    Jean-Louis Monteiro
    http://twitter.com/jlouismonteiro
    http://www.tomitribe.com