diff --git a/boms/tomee-microprofile/pom.xml b/boms/tomee-microprofile/pom.xml index fc9ebf140c1..eb69ea0bc58 100644 --- a/boms/tomee-microprofile/pom.xml +++ b/boms/tomee-microprofile/pom.xml @@ -533,7 +533,7 @@ org.apache.cxf cxf-core - 4.0.3 + 4.0.4 * @@ -544,7 +544,7 @@ org.apache.cxf cxf-rt-bindings-soap - 4.0.3 + 4.0.4 * @@ -555,7 +555,7 @@ org.apache.cxf cxf-rt-bindings-xml - 4.0.3 + 4.0.4 * @@ -566,7 +566,7 @@ org.apache.cxf cxf-rt-databinding-jaxb - 4.0.3 + 4.0.4 * @@ -577,7 +577,7 @@ org.apache.cxf cxf-rt-frontend-jaxrs - 4.0.3 + 4.0.4 * @@ -588,7 +588,7 @@ org.apache.cxf cxf-rt-frontend-jaxws - 4.0.3 + 4.0.4 * @@ -599,7 +599,7 @@ org.apache.cxf cxf-rt-frontend-simple - 4.0.3 + 4.0.4 * @@ -610,7 +610,7 @@ org.apache.cxf cxf-rt-management - 4.0.3 + 4.0.4 * @@ -621,7 +621,7 @@ org.apache.cxf cxf-rt-rs-client - 4.0.3 + 4.0.4 * @@ -632,7 +632,7 @@ org.apache.cxf cxf-rt-rs-extension-providers - 4.0.3 + 4.0.4 * @@ -643,7 +643,7 @@ org.apache.cxf cxf-rt-rs-mp-client - 4.0.3 + 4.0.4 * @@ -654,7 +654,7 @@ org.apache.cxf cxf-rt-rs-service-description - 4.0.3 + 4.0.4 * @@ -665,7 +665,7 @@ org.apache.cxf cxf-rt-rs-sse - 4.0.3 + 4.0.4 * @@ -676,7 +676,7 @@ org.apache.cxf cxf-rt-security-saml - 4.0.3 + 4.0.4 * @@ -687,7 +687,7 @@ org.apache.cxf cxf-rt-security - 4.0.3 + 4.0.4 * @@ -698,7 +698,7 @@ org.apache.cxf cxf-rt-transports-http - 4.0.3 + 4.0.4 * @@ -709,7 +709,7 @@ org.apache.cxf cxf-rt-ws-addr - 4.0.3 + 4.0.4 * @@ -720,7 +720,7 @@ org.apache.cxf cxf-rt-ws-policy - 4.0.3 + 4.0.4 * @@ -731,7 +731,7 @@ org.apache.cxf cxf-rt-ws-security - 4.0.3 + 4.0.4 * @@ -742,7 +742,7 @@ org.apache.cxf cxf-rt-wsdl - 4.0.3 + 4.0.4 * @@ -1880,7 +1880,7 @@ org.codehaus.woodstox stax2-api - 4.2.1 + 4.2.2 * @@ -2232,7 +2232,7 @@ org.ow2.asm asm - 9.5 + 9.6 * diff --git a/boms/tomee-plume/pom.xml b/boms/tomee-plume/pom.xml index 660dcd273d3..05e9de47d7b 100644 --- a/boms/tomee-plume/pom.xml +++ b/boms/tomee-plume/pom.xml @@ -622,7 +622,7 @@ org.apache.cxf cxf-core - 4.0.3 + 4.0.4 * @@ -633,7 +633,7 @@ org.apache.cxf cxf-rt-bindings-soap - 4.0.3 + 4.0.4 * @@ -644,7 +644,7 @@ org.apache.cxf cxf-rt-bindings-xml - 4.0.3 + 4.0.4 * @@ -655,7 +655,7 @@ org.apache.cxf cxf-rt-databinding-jaxb - 4.0.3 + 4.0.4 * @@ -666,7 +666,7 @@ org.apache.cxf cxf-rt-frontend-jaxrs - 4.0.3 + 4.0.4 * @@ -677,7 +677,7 @@ org.apache.cxf cxf-rt-frontend-jaxws - 4.0.3 + 4.0.4 * @@ -688,7 +688,7 @@ org.apache.cxf cxf-rt-frontend-simple - 4.0.3 + 4.0.4 * @@ -699,7 +699,7 @@ org.apache.cxf cxf-rt-management - 4.0.3 + 4.0.4 * @@ -710,7 +710,7 @@ org.apache.cxf cxf-rt-rs-client - 4.0.3 + 4.0.4 * @@ -721,7 +721,7 @@ org.apache.cxf cxf-rt-rs-extension-providers - 4.0.3 + 4.0.4 * @@ -732,7 +732,7 @@ org.apache.cxf cxf-rt-rs-mp-client - 4.0.3 + 4.0.4 * @@ -743,7 +743,7 @@ org.apache.cxf cxf-rt-rs-service-description - 4.0.3 + 4.0.4 * @@ -754,7 +754,7 @@ org.apache.cxf cxf-rt-rs-sse - 4.0.3 + 4.0.4 * @@ -765,7 +765,7 @@ org.apache.cxf cxf-rt-security-saml - 4.0.3 + 4.0.4 * @@ -776,7 +776,7 @@ org.apache.cxf cxf-rt-security - 4.0.3 + 4.0.4 * @@ -787,7 +787,7 @@ org.apache.cxf cxf-rt-transports-http - 4.0.3 + 4.0.4 * @@ -798,7 +798,7 @@ org.apache.cxf cxf-rt-ws-addr - 4.0.3 + 4.0.4 * @@ -809,7 +809,7 @@ org.apache.cxf cxf-rt-ws-policy - 4.0.3 + 4.0.4 * @@ -820,7 +820,7 @@ org.apache.cxf cxf-rt-ws-security - 4.0.3 + 4.0.4 * @@ -831,7 +831,7 @@ org.apache.cxf cxf-rt-wsdl - 4.0.3 + 4.0.4 * @@ -1991,7 +1991,7 @@ org.codehaus.woodstox stax2-api - 4.2.1 + 4.2.2 * @@ -2376,7 +2376,7 @@ org.ow2.asm asm - 9.5 + 9.6 * diff --git a/boms/tomee-plus/pom.xml b/boms/tomee-plus/pom.xml index de93ee51273..f8e8ee24f50 100644 --- a/boms/tomee-plus/pom.xml +++ b/boms/tomee-plus/pom.xml @@ -633,7 +633,7 @@ org.apache.cxf cxf-core - 4.0.3 + 4.0.4 * @@ -644,7 +644,7 @@ org.apache.cxf cxf-rt-bindings-soap - 4.0.3 + 4.0.4 * @@ -655,7 +655,7 @@ org.apache.cxf cxf-rt-bindings-xml - 4.0.3 + 4.0.4 * @@ -666,7 +666,7 @@ org.apache.cxf cxf-rt-databinding-jaxb - 4.0.3 + 4.0.4 * @@ -677,7 +677,7 @@ org.apache.cxf cxf-rt-frontend-jaxrs - 4.0.3 + 4.0.4 * @@ -688,7 +688,7 @@ org.apache.cxf cxf-rt-frontend-jaxws - 4.0.3 + 4.0.4 * @@ -699,7 +699,7 @@ org.apache.cxf cxf-rt-frontend-simple - 4.0.3 + 4.0.4 * @@ -710,7 +710,7 @@ org.apache.cxf cxf-rt-management - 4.0.3 + 4.0.4 * @@ -721,7 +721,7 @@ org.apache.cxf cxf-rt-rs-client - 4.0.3 + 4.0.4 * @@ -732,7 +732,7 @@ org.apache.cxf cxf-rt-rs-extension-providers - 4.0.3 + 4.0.4 * @@ -743,7 +743,7 @@ org.apache.cxf cxf-rt-rs-mp-client - 4.0.3 + 4.0.4 * @@ -754,7 +754,7 @@ org.apache.cxf cxf-rt-rs-service-description - 4.0.3 + 4.0.4 * @@ -765,7 +765,7 @@ org.apache.cxf cxf-rt-rs-sse - 4.0.3 + 4.0.4 * @@ -776,7 +776,7 @@ org.apache.cxf cxf-rt-security-saml - 4.0.3 + 4.0.4 * @@ -787,7 +787,7 @@ org.apache.cxf cxf-rt-security - 4.0.3 + 4.0.4 * @@ -798,7 +798,7 @@ org.apache.cxf cxf-rt-transports-http - 4.0.3 + 4.0.4 * @@ -809,7 +809,7 @@ org.apache.cxf cxf-rt-ws-addr - 4.0.3 + 4.0.4 * @@ -820,7 +820,7 @@ org.apache.cxf cxf-rt-ws-policy - 4.0.3 + 4.0.4 * @@ -831,7 +831,7 @@ org.apache.cxf cxf-rt-ws-security - 4.0.3 + 4.0.4 * @@ -842,7 +842,7 @@ org.apache.cxf cxf-rt-wsdl - 4.0.3 + 4.0.4 * @@ -2024,7 +2024,7 @@ org.codehaus.woodstox stax2-api - 4.2.1 + 4.2.2 * @@ -2387,7 +2387,7 @@ org.ow2.asm asm - 9.5 + 9.6 * diff --git a/boms/tomee-webprofile/pom.xml b/boms/tomee-webprofile/pom.xml index bcbc10ccddc..ce26ffb2fcb 100644 --- a/boms/tomee-webprofile/pom.xml +++ b/boms/tomee-webprofile/pom.xml @@ -214,7 +214,7 @@ org.apache.cxf cxf-core - 4.0.3 + 4.0.4 * @@ -225,7 +225,7 @@ org.apache.cxf cxf-rt-bindings-soap - 4.0.3 + 4.0.4 * @@ -236,7 +236,7 @@ org.apache.cxf cxf-rt-bindings-xml - 4.0.3 + 4.0.4 * @@ -247,7 +247,7 @@ org.apache.cxf cxf-rt-databinding-jaxb - 4.0.3 + 4.0.4 * @@ -258,7 +258,7 @@ org.apache.cxf cxf-rt-frontend-jaxrs - 4.0.3 + 4.0.4 * @@ -269,7 +269,7 @@ org.apache.cxf cxf-rt-frontend-jaxws - 4.0.3 + 4.0.4 * @@ -280,7 +280,7 @@ org.apache.cxf cxf-rt-frontend-simple - 4.0.3 + 4.0.4 * @@ -291,7 +291,7 @@ org.apache.cxf cxf-rt-management - 4.0.3 + 4.0.4 * @@ -302,7 +302,7 @@ org.apache.cxf cxf-rt-rs-client - 4.0.3 + 4.0.4 * @@ -313,7 +313,7 @@ org.apache.cxf cxf-rt-rs-extension-providers - 4.0.3 + 4.0.4 * @@ -324,7 +324,7 @@ org.apache.cxf cxf-rt-rs-service-description - 4.0.3 + 4.0.4 * @@ -335,7 +335,7 @@ org.apache.cxf cxf-rt-rs-sse - 4.0.3 + 4.0.4 * @@ -346,7 +346,7 @@ org.apache.cxf cxf-rt-security-saml - 4.0.3 + 4.0.4 * @@ -357,7 +357,7 @@ org.apache.cxf cxf-rt-security - 4.0.3 + 4.0.4 * @@ -368,7 +368,7 @@ org.apache.cxf cxf-rt-transports-http - 4.0.3 + 4.0.4 * @@ -379,7 +379,7 @@ org.apache.cxf cxf-rt-ws-addr - 4.0.3 + 4.0.4 * @@ -390,7 +390,7 @@ org.apache.cxf cxf-rt-ws-policy - 4.0.3 + 4.0.4 * @@ -401,7 +401,7 @@ org.apache.cxf cxf-rt-ws-security - 4.0.3 + 4.0.4 * @@ -412,7 +412,7 @@ org.apache.cxf cxf-rt-wsdl - 4.0.3 + 4.0.4 * @@ -1616,7 +1616,7 @@ org.ow2.asm asm - 9.5 + 9.6 * diff --git a/pom.xml b/pom.xml index 0a7acaa0f8a..eadbd7a13c9 100644 --- a/pom.xml +++ b/pom.xml @@ -203,14 +203,14 @@ 1.0.0-M1 - 10.0.28-TT.7 + 10.0.28-TT.8 2.0.1 5.18.3 1.0.2 2.0.6 - 4.0.3 + 4.0.4 3.1.5 1.0.0 diff --git a/tomee/apache-tomee/src/main/resources/META-INF/release_notes/RELEASE-NOTES-EAP-9.0.x b/tomee/apache-tomee/src/main/resources/META-INF/release_notes/RELEASE-NOTES-EAP-9.0.x index ea62ba1ebd2..e69c6715ef7 100644 --- a/tomee/apache-tomee/src/main/resources/META-INF/release_notes/RELEASE-NOTES-EAP-9.0.x +++ b/tomee/apache-tomee/src/main/resources/META-INF/release_notes/RELEASE-NOTES-EAP-9.0.x @@ -1,7 +1,19 @@ -= TomEE EAP 9.1.1-TT.4 += TomEE EAP 9.1.3-TT.4 -=== Changes in TomEE EAP 9.1.1-TT.4 +=== Changes in TomEE EAP 9.1.3-TT.4 * Update jose4j 0.9.6 to mitigate CVE-2023-51775 +* Updated Tomcat to 10.0.28-TT.8 to mitigate CVE-2024-24549 and CVE-2024-23672 +* Update to CXF 4.0.4 to mitigate CVE-2024-28752 + +=== Changes in TomEE EAP 9.1.3-TT.3 +* Prevent classloader leak in SmallRye MicroProfile OpenAPI ThreadLocal +* Prevent classloader leak in SmallRye MicroProfile Config Provider + +=== Changes in TomEE EAP 9.1.3-TT.2 +* Prevent classloader leak in SmallRye MicroProfile Config Provider + +=== Changes in TomEE EAP 9.1.3-TT.1 +* TOMEE-3902 - Placeholders in MDB activation config === Changes in TomEE EAP 9.1.1-TT.2 * Updated Tomcat to 10.0.28-TT.7 to mitigate CVE-2023-46589 diff --git a/tomee/tomee-catalina/src/main/java/org/apache/tomee/catalina/TomcatWebAppBuilder.java b/tomee/tomee-catalina/src/main/java/org/apache/tomee/catalina/TomcatWebAppBuilder.java index 3f0d9853fbe..a885a8a0423 100644 --- a/tomee/tomee-catalina/src/main/java/org/apache/tomee/catalina/TomcatWebAppBuilder.java +++ b/tomee/tomee-catalina/src/main/java/org/apache/tomee/catalina/TomcatWebAppBuilder.java @@ -132,7 +132,6 @@ import org.apache.tomee.catalina.cluster.TomEEClusterListener; import org.apache.tomee.catalina.environment.Hosts; import org.apache.tomee.catalina.event.AfterApplicationCreated; -import org.apache.tomee.catalina.event.BeforeApplicationDestroyed; import org.apache.tomee.catalina.routing.RouterValve; import org.apache.tomee.catalina.security.TomcatSecurityConstaintsToJaccPermissionsTransformer; import org.apache.tomee.common.NamingUtil; @@ -2087,10 +2086,6 @@ private static boolean isExcludedBySystemProperty(final StandardContext standard public void beforeStop(final StandardContext standardContext) { final ClassLoader classLoader = standardContext.getLoader().getClassLoader(); - final ContextInfo contextInfo = getContextInfo(standardContext); - - SystemInstance.get().fireEvent(new BeforeApplicationDestroyed(contextInfo.appInfo)); - // if it is not our custom loader clean up now otherwise wait afterStop if (!(standardContext.getLoader() instanceof LazyStopLoader)) { jsfClasses.remove(classLoader); diff --git a/tomee/tomee-catalina/src/main/java/org/apache/tomee/catalina/event/BeforeApplicationDestroyed.java b/tomee/tomee-catalina/src/main/java/org/apache/tomee/catalina/event/BeforeApplicationDestroyed.java index 51ec51ad018..e69de29bb2d 100644 --- a/tomee/tomee-catalina/src/main/java/org/apache/tomee/catalina/event/BeforeApplicationDestroyed.java +++ b/tomee/tomee-catalina/src/main/java/org/apache/tomee/catalina/event/BeforeApplicationDestroyed.java @@ -1,43 +0,0 @@ -/* - * Licensed to the Apache Software Foundation (ASF) under one or more - * contributor license agreements. See the NOTICE file distributed with - * this work for additional information regarding copyright ownership. - * The ASF licenses this file to You under the Apache License, Version 2.0 - * (the "License"); you may not use this file except in compliance with - * the License. You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ -package org.apache.tomee.catalina.event; - -import jakarta.servlet.ServletContext; -import org.apache.openejb.assembler.classic.AppInfo; -import org.apache.openejb.assembler.classic.WebAppInfo; -import org.apache.openejb.observer.Event; - -@Event -public class BeforeApplicationDestroyed { - private final AppInfo app; - - public BeforeApplicationDestroyed(final AppInfo appInfo) { - app = appInfo; - } - - public AppInfo getApp() { - return app; - } - - - @Override - public String toString() { - return "BeforeApplicationCreated{" + - "app=" + (app == null ? null : app.appId) + - '}'; - } -} diff --git a/tomee/tomee-microprofile/mp-common/src/main/java/org/apache/tomee/microprofile/TomEEMicroProfileListener.java b/tomee/tomee-microprofile/mp-common/src/main/java/org/apache/tomee/microprofile/TomEEMicroProfileListener.java index c14b28b1496..83dcae0bbe5 100644 --- a/tomee/tomee-microprofile/mp-common/src/main/java/org/apache/tomee/microprofile/TomEEMicroProfileListener.java +++ b/tomee/tomee-microprofile/mp-common/src/main/java/org/apache/tomee/microprofile/TomEEMicroProfileListener.java @@ -16,12 +16,9 @@ */ package org.apache.tomee.microprofile; -import io.smallrye.config.SmallRyeConfigProviderResolver; import io.smallrye.opentracing.SmallRyeTracingDynamicFeature; import jakarta.servlet.ServletContext; import jakarta.servlet.ServletRegistration; -import org.apache.openejb.AppContext; -import org.apache.openejb.assembler.classic.AppInfo; import org.apache.openejb.assembler.classic.WebAppInfo; import org.apache.openejb.config.NewLoaderLogic; import org.apache.openejb.config.event.EnhanceScannableUrlsEvent; @@ -30,16 +27,13 @@ import org.apache.openejb.observer.Observes; import org.apache.openejb.observer.event.BeforeEvent; import org.apache.openejb.server.cxf.rs.event.ExtensionProviderRegistration; -import org.apache.openejb.spi.ContainerSystem; import org.apache.openejb.util.LogCategory; import org.apache.openejb.util.Logger; import org.apache.tomee.catalina.event.AfterApplicationCreated; -import org.apache.tomee.catalina.event.BeforeApplicationDestroyed; +import org.apache.tomee.installer.Paths; import org.apache.tomee.microprofile.health.MicroProfileHealthChecksEndpoint; import org.apache.tomee.microprofile.openapi.MicroProfileOpenApiRegistration; import org.apache.tomee.microprofile.opentracing.MicroProfileOpenTracingExceptionMapper; -import org.eclipse.microprofile.config.Config; -import org.eclipse.microprofile.config.spi.ConfigProviderResolver; import org.jboss.jandex.Index; import org.jboss.jandex.Indexer; @@ -48,6 +42,7 @@ import java.io.FileInputStream; import java.io.IOException; import java.io.InputStream; +import java.net.MalformedURLException; import java.net.URL; import java.security.CodeSource; import java.util.Collection; @@ -63,6 +58,10 @@ public class TomEEMicroProfileListener { private static final Logger LOGGER = Logger.getInstance(LogCategory.OPENEJB.createChild("tomcat"), TomEEMicroProfileListener.class); + private static final String[] MICROPROFILE_LIBS_IMPLS_PREFIXES = new String[]{ + "mp-common" + }; + private static final String[] MICROPROFILE_EXTENSIONS = new String[]{ "org.apache.tomee.microprofile.jwt.cdi.MPJWTCDIExtension", "org.apache.cxf.microprofile.client.cdi.RestClientExtension", @@ -99,8 +98,17 @@ public void enhanceScannableUrls(@Observes final EnhanceScannableUrlsEvent enhan } } - // Add mp-common jar so classes like MicroProfileHealthChecksEndpoint are scanned as well - containerUrls.add(getClass().getProtectionDomain().getCodeSource().getLocation()); + final Paths paths = new Paths(new File(System.getProperty("openejb.home"))); + for (final String prefix : MICROPROFILE_LIBS_IMPLS_PREFIXES) { + final File file = paths.findTomEELibJar(prefix); + if (file != null) { + try { + containerUrls.add(file.toURI().toURL()); + } catch (final MalformedURLException e) { + // ignored + } + } + } SystemInstance.get().setProperty("openejb.cxf-rs.cache-application", "false"); } @@ -138,21 +146,6 @@ public void processApplication(@Observes final BeforeEvent beforeApplicationDestroyed) { - final AppInfo appInfo = beforeApplicationDestroyed.getEvent().getApp(); - final ContainerSystem containerSystem = SystemInstance.get().getComponent(ContainerSystem.class); - final AppContext appContext = containerSystem.getAppContext(appInfo.appId); - - final ClassLoader appClassLoader = appContext.getClassLoader(); - final ConfigProviderResolver instance = ConfigProviderResolver.instance(); - - if (SmallRyeConfigProviderResolver.class.isInstance(instance)) { - SmallRyeConfigProviderResolver srcpr = SmallRyeConfigProviderResolver.class.cast(instance); - final Config config = srcpr.getConfig(appClassLoader); - srcpr.releaseConfig(config); - } - } - public void registerMicroProfileJaxRsProviders(@Observes final ExtensionProviderRegistration extensionProviderRegistration) { extensionProviderRegistration.getProviders().add(new SmallRyeTracingDynamicFeature());