Releases: payara/Payara
Payara Platform Community 6.2023.6
Release notes
Supported APIs and Applications
- Jakarta EE 10
- Jakarta EE 10 Applications
- MicroProfile 6.0
Bug Fixes
FISH-7204 [Community Contribution - ctabin] Removes Internal Throwable Reference to Avoid Potential Class Loader Leaks
FISH-7354 ClassNotFoundException on
after Payara 5 to Payara 6 Upgrade
Component Upgrades
- FISH-6869 Upgrade Concurrent API to 3.0.2
Payara Platform Community 6.2023.5
Release notes
Supported APIs and Applications
- Jakarta EE 10
- Jakarta EE 10 Applications
- MicroProfile 6.0
- FISH-7096 Upgrade Service for JACC
Bug Fixes
- FISH-7127 Unable to create JVM option using Web UI
- FISH-7337 Don't Block Hazelcast by Default
- FISH-7359 Fix change-master-password for P12 Keystore Format
- FISH-7363 Add support for JKS to the `change-master-password` command in Payara 6
Security Fixes
- FISH-7292 Fix CVE-2023-1370, json-smart Uncontrolled Recursion vulnerability
Component Upgrades
Payara Platform Community 6.2023.4
Release notes - Payara Platform Community 6.2023.4
Supported APIs and Applications
- Jakarta EE 10
- Jakarta EE 10 Applications
- MicroProfile 6.0
- [FISH-6908] Configure SameSite Cookie Attribute in Application Deployment Descriptor
Bug Fix
- [FISH-7202] Payara 6 deployment error with JDK17 and records
Component Upgrades
Payara Platform Community 6.2023.3
Release notes - Payara Platform Community 6.2023.3
Supported APIs and Applications
- Jakarta EE 10
- Jakarta EE 10 Applications
- MicroProfile 6.0
Known Issues
ASM Warning
- When deploying an application that contains a Java Record, there is a warning logged in the server logs about Records not being supported. No worries. Your application will deploy and work. This is a known issue that is being looked into.
Breaking Change
Minimum Required JDK
- The minimum required JDK to run this and subsequent releases of this stream is 11.0.12
- As this release comes with MicroProfile 6, you might want to peruse its release announcement to keep on top of any possible breaking changes
- [FISH-7206] Update the REST SSL Alias Extension for Payara 6
- [FISH-1366] Upgrade cacerts.jks and keystore.jks to pkcs12
- [FISH-6634] Make Notifiers Payara 6 Compatible
- [FISH-6907] Configure SameSite Cookie Attribute Globally for an HTTP Network Listener
Bug Fixes
- [FISH-6479] SLF4J API fails to load an implementation
- [FISH-7016] Server Instances Zombie When Port Conflicts Are Detected During Startup
- [FISH-7063] Publish Jakarta Platform 10 in the BOM
- [FISH-7076] Malformed SQL when using SecondaryTable & PrimaryKeyJoinColumn annotations
- [FISH-7077] Deploy and redeploy using local packaged file not working
- [FISH-5981] 'java.lang.LinkageError' when using Apache Santuario and SLF4J/Logback
Component Upgrades
Payara Platform Community 6.2023.2
Release notes - Payara Platform Community 6.2023.2
Supported APIs and Applications
- Jakarta EE 10
- Jakarta EE 10 Applications
- MicroProfile 5.0
Breaking Change
MicroProfile OpenAPI property renamed
The MicroProfile OpenAPI config property was renamed from "mp.openapi.scan.lib" to "mp.openapi.extensions.scan.lib". If you are currently using this property and upgrading to Payara Community 6.2023.2 and later versions, please remember to change to this new one, otherwise your values may not be picked up.
- [FISH-6927] Rename MicroProfile OpenAPI from "mp.openapi.scan.lib" to "mp.openapi.extensions.scan.lib" property (breaking change)
- [FISH-6963] [Community Contribution - pzygielo] Log Alias of Expired Certificate
- [FISH-7024] [Community Contribution - ctabin] Migration to Jakarta Persistence 3.0 namespace for EJB Timer services
Bug Fixes
- [FISH-6432] Applications Take Longer To Deploy on JDK 11 and 17
- [FISH-6815] Asadmin CLI Utility Commands [start/stop/restart-deployment-group] times out
- [FISH-6947] Command asadmin --detach list-instances is not working any more starting 5.45.0
- [FISH-6962] [Community Contribution - pzygielo] Incorrect MBeanMetadataConfig Class Name
- [FISH-6983] Revert Removal of JobManager
Payara Platform Community 6.2023.1
== Supported APIs and Applications
- Jakarta EE 10
- Jakarta EE 10 Applications
- MicroProfile 5.0
- FISH-1413 Allow using environment variables in the create-connector-connection-pool command
== Security Fix
- FISH-6644 Upgrade OpenSSL to v 1.1.1q or higher in Payara Server Docker Images
== Component Upgrades
- FISH-6720 Upgrade Jersey to 3.1.0-M8
- FISH-6721 Upgrade DBSchema to 6.7
- FISH-6722 Upgrade Schema2Beans to 6.7
- FISH-6820 Update Woodstox to 6.4.0
- FISH-6848 Upgrade Maven Install Plugin to 3.1.0
- FISH-6849 Upgrade Felix ConfigAdmin to 1.9.26
- FISH-6850 Upgrade Apache BCEL to 6.7.0
- FISH-6854 Upgrade Jackson to 2.14.1
Payara Platform Community 6.2022.2
Release notes - Payara Platform Community 6.2022.2
Supported APIs and Applications
- Jakarta EE 10
- Jakarta EE 10 Applications
- MicroProfile 5
[FISH-1175] Fix Typo in
annotation attribute (Public API) -
[FISH-5809] Include jdk.internal.reflect packages in OSGi boot delegation configuration settings
[FISH-6495] Hazelcast File Configuration in Payara Embedded
[FISH-6588] Define Start-up, Post-Boot, Deployment, and Post-Start-up Phases
Security Fixes
[FISH-6715] Upgrade Apache BCEL to 6.6.1
[FISH-6775] Authorization Constraints Ignored When Using Path Traversal Penetration Using Default Virtual Module
Bug Fixes
[FISH-5778] The OpenApi
"name" Property does not Rename Annotated Class Attribute -
[FISH-5798] OpenAPI annotation
@Parameter(... explode # Explode.TRUE)
gives stacktrace -
[FISH-5808] JAX-RS Subresources don't Appear in OpenAPI Document
[FISH-6066] Invalid property 'default-web-xml' on instance start-up
[FISH-6484] Docker Node Instance is Unable to Resolve Hostname for DAS on Docker
[FISH-6567] LDAP Realm Breaks with Java 11.0.15
[FISH-6596] Support jakarta.* request properties
[FISH-6729] Cannot Load Payara Deployment Transformer
Component Upgrades
[FISH-6578] [Community Contribution - [Lenny Primak] Update JNA in order to work with Apple Silicon
[FISH-6669] Upgrade JDK Versions in Docker Images to 8u352, 11.0.17, and 17.0.5
[FISH-6675] Upgrade Jackson to 2.13.4
[FISH-6676] Upgrade Snakeyaml to 1.33
[FISH-6700] Upgrade JLine to 3.21.0
[FISH-6701] Upgrade Javassist to 3.29.2-GA
[FISH-6702] Upgrade metainf-services to 1.9
[FISH-6704] Upgrade Felix Config Admin to 1.9.24
[FISH-6705] Upgrade Felix Event Admin to 1.6.4
[FISH-6706] Upgrade Felix File Install to 3.7.4.payara-p1
[FISH-6707] Upgrade Felix Gogo Runtime to 1.1.6
[FISH-6708] Upgrade Felix to 7.0.5
[FISH-6709] Upgrade Felix SCR to 2.1.30
[FISH-6710] Upgrade Felix Web Console to 4.8.4
[FISH-6711] Upgrade OSGi Util Function to 1.2.0
[FISH-6712] Upgrade OSGi Util Promise to 1.2.0
[FISH-6714] Upgrade Management API to 3.2.3
[FISH-6718] Upgrade Build and Test Plugins
[FISH-6724] Upgrade Payara Deployment Transformer API to 1.1.1
[FISH-6726] Upgrade Eclipse Payara Transformer to 0.2.9
Payara Platform Community 5.2022.5
Release Notes - Payara Platform Community 5.2022.5
Supported APIs and Applications
- Jakarta EE 8
- Jakarta EE 8 Applications
- Jakarta EE 9
- MicroProfile 4.1
Payara 5.2022.5 is the final release of Payara 5 Community. Payara 5 Community will receive no more bug fixes, updates or improvements. Payara 5 Community is now replaced by Payara 6 Community, to be used with Jakarta EE 10. If you want to keep using earlier Java EE/Jakarta EE versions, we encourage you to move to Payara 5 Enterprise.
[FISH-5809] Include jdk.internal.reflect packages in OSGi boot delegation configuration settings
[FISH-6495] Hazelcast File Configuration in Payara Embedded
Security Fixes
[FISH-6715] Upgrade Apache BCEL to 6.6.1
[FISH-6775] Authorization Constraints Ignored When Using Path Traversal Penetration Using Default Virtual Module
Bug Fixes
[FISH-5778] The OpenApi
"name" Property does not Rename Annotated Class Attribute -
[FISH-5798] OpenAPI annotation
@Parameter(... explode # Explode.TRUE)
gives stacktrace -
[FISH-5808] JAX-RS Subresources don't Appear in OpenAPI Document
[FISH-6022] MicroProfile JWT Token verified on unauthorized endpoints
[FISH-6047] Single-Sign-On logout action not working correctly when used with Jakarta EE Security features
[FISH-6066] Invalid property 'default-web-xml' on instance start-up
[FISH-6299] Expired/Invalid JWT-Token and CORS-errors
[FISH-6499] NullPointerException When Deploying An Application
[FISH-6567] LDAP Realm Breaks with Java 11.0.15
[FISH-6598] Fix Authentication Mechanism Lookup for Per-Module Auth Configuration in EAR
[FISH-6606] Empty Zip File Error When Deploying via Admin Console
Component Upgrades
[FISH-6669] Upgrade JDK Versions in Docker Images to 8u352, 11.0.17, and 17.0.5
[FISH-6670] Upgrade Jersey to 2.37
[FISH-6671] Upgrade Servlet-API to 4.0.4
[FISH-6672] Upgrade Hibernate Validator to 6.2.5.Final
[FISH-6673] Upgrade Jakarta EL to 3.0.4
[FISH-6674] Upgrade Mail to 1.6.7
[FISH-6675] Upgrade Jackson to 2.13.4
[FISH-6676] Upgrade Snakeyaml to 1.33
[FISH-6677] Upgrade Hazelcast to 4.2.5
[FISH-6678] Upgrade JAXB-API to 2.3.3
[FISH-6679] Upgrade JAXB-OSGi to 2.3.7
[FISH-6681] Upgrade Tyrus to 1.20
[FISH-6682] Upgrade Yasson to 1.0.11
[FISH-6683] Upgrade EclipseLink to 2.7.11
[FISH-6684] Upgrade Jakarta Inject to 1.0.5
[FISH-6685] Upgrade Weld to 3.1.9.Final
[FISH-6686] Upgrade ASM to 9.4
[FISH-6687] Upgrade Concurrency to 1.1
[FISH-6688] Upgrade Istack Commons to 3.0.12
[FISH-6689] Upgrade Activation to 1.2.2
[FISH-6690] Upgrade JAX-WS to 2.3.3
[FISH-6691] Upgrade JMS to 2.0.3
[FISH-6692] Upgrade MicroProfile Config to 2.0.1
[FISH-6693] Upgrade MicroProfile JWT-Auth to 1.2.2
[FISH-6694] Upgrade MicroProfile Metrics to 3.0.1
[FISH-6695] Upgrade MicroProfile OpenAPI to 2.0.1
[FISH-6696] Upgrade OSGi DTO to 1.1.1
[FISH-6698] Upgrade Woodstox to 5.4.0
[FISH-6699] Upgrade HA API to 3.1.13
[FISH-6700] Upgrade JLine to 3.21.0
[FISH-6701] Upgrade Javassist to 3.29.2-GA
[FISH-6702] Upgrade metainf-services to 1.9
[FISH-6703] Upgrade Mimepull to 1.9.15
[FISH-6704] Upgrade Felix Config Admin to 1.9.24
[FISH-6705] Upgrade Felix Event Admin to 1.6.4
[FISH-6706] Upgrade Felix File Install to 3.7.4.payara-p1
[FISH-6707] Upgrade Felix Gogo Runtime to 1.1.6
[FISH-6708] Upgrade Felix to 7.0.5
[FISH-6709] Upgrade Felix SCR to 2.1.30
[FISH-6710] Upgrade Felix Web Console to 4.8.4
[FISH-6711] Upgrade OSGi Util Function to 1.2.0
[FISH-6712] Upgrade OSGi Util Promise to 1.2.0
[FISH-6714] Upgrade Management API to 3.2.3
[FISH-6717] Upgrade JBoss Logging to 3.4.3.Final
[FISH-6718] Upgrade Build and Test Plugins
[FISH-6726] Upgrade Eclipse Payara Transformer to 0.2.9
Payara Platform Community 6.2022.1
Release notes - Payara Platform Community 6.2022.1
Supported APIs and Applications
- Jakarta EE 10
- Jakarta EE 10 Applications
- MicroProfile 5
Security Vulnerability
We have been made aware of a 0-day vulnerability. This vulnerability exploit opens up to attackers a way to explore the contents of the WEB-INF and META-INF folders if an application is deployed to the root context. This vulnerability is similar to another 0-day vulnerability (CVE-2022-37422) we recently had. We would like to thank Michael Baer, Luc Créti and Jean-Michel Lenotte, all working for Atos, for alerting us to this vulnerability. You must upgrade to this latest version of Payara 6 Community to avoid the security issue.
- [FISH-372] Provide option to disable clustering functionality of Hazelcast on Payara Micro
- [FISH-1336] Properly Shutdown Payara Micro on Ctrl+C
- [FISH-5827] Stuck Thread count as MicroProfile Metric Gauge
- [FISH-5828] Connection Pool Metrics Exposed as MicroProfile Metrics
- [FISH-6434] Support OpenID Connect token issuer field in ADFS
Security Fix
- [FISH-6603] 0-Day Vulnerability Exploit Using ROOT Context Deployments
Bug Fixes
- [FISH-1418] JMX Service doesn't start on JDK 8u292 and 11.0.11
- [FISH-5806] Remove JobManager from Payara Server
- [FISH-6238] Microprofile Interceptors
are not getting invoked if the EJB is a@Stateless
Bean - [FISH-6347] Fix Admin Console (Post Mojarra Upgrade)
- [FISH-6430] TransactionScopedCDIEventHelperImpl Injection Error
- [FISH-6435] Dynamic Proxy is not Used when Injecting Context Types into Singleton EJB
- [FISH-6470] GCM Cipher Suites Not Being Recognized
- [FISH-6481] CORBA Incorrectly opening an additional TCP socket on Windows systems
- [FISH-6500]
Domain Property Ignored - [FISH-6501] Commands in Postboot File Fail
- [FISH-6506] Environment Variable Replacement in Payara Micro Logging Properties File Does Not Work
- [FISH-6566] Unable to Restart Instance with Application containing JSON File
- [FISH-6576] Jakarta EE 10 DDs schema definition file missing in Payara 6.x
Component Upgrades
- [FISH-6357] Ensure No Longer Using Jakarta Milestone Components
- [FISH-6543] Update JAXB Impl to 4.0.1
Payara Platform Community 5.2022.4
Release notes - Payara Platform Community 5.2022.4
Supported APIs and Applications
- Jakarta EE 8
- Jakarta EE 8 Applications
- Jakarta EE 9
- MicroProfile 4.1
Security Vulnerability
We have been made aware of a 0-day vulnerability. This vulnerability exploit opens up to attackers a way to explore the contents of the WEB-INF and META-INF folders if an application is deployed to the root context. This vulnerability is similar to another 0-day vulnerability (CVE-2022-37422) we recently had. We would like to thank Michael Baer, Luc Créti and Jean-Michel Lenotte, all working for Atos, for alerting us to this vulnerability. You must upgrade to this latest version of Payara 5 Community to avoid the security issue.
- [FISH-6434] Support OpenID Connect token issuer field in ADFS
- [FISH-5828] Connection Pool Metrics Exposed as MicroProfile Metrics
- [FISH-5827] Stuck Thread count as MicroProfile Metric Gauge
- [FISH-372] Provide option to disable clustering functionality of Hazelcast on Payara Micro
Security Fixes
- [FISH-6603] 0-Day Vulnerability Exploit Using ROOT Context Deployments
- [FISH-6522] FIX CVE-2021-31684/Gihub Advisory - GHSA-fg2v-w576-w4v3 in Payara Platform
- [FISH-6391] Fix sonatype-2014-0173 commons-fileupload : commons-fileupload : 1.3.3
Bug Fixes
- [FISH-5980] Add Option to use ForkJoinPool for Managed Executor Services
- [FISH-6566] Unable to Restart Instance with Application containing JSON File
- [FISH-6506] Environment Variable Replacement in Payara Micro Logging Properties File Does Not Work
- [FISH-6501] Commands in Postboot File Fail
- [FISH-6500]
Domain Property Ignored - [FISH-6481] CORBA Incorrectly opening an additional TCP socket on Windows systems
- [FISH-6477] [Community Contribution - Piotrek Żygieło] Wrong License in Payara Zip Distribution
- [FISH-6470] GCM Cipher Suites Not Being Recognized
- [FISH-6435] Dynamic Proxy is not Used when Injecting Context Types into Singleton EJB
- [FISH-6430] TransactionScopedCDIEventHelperImpl Injection Error
- [FISH-6415] Unexpected error when starting instance hosted in remote SSH nodes on Windows OS system via Cygwin
- [FISH-6238] Microprofile Interceptors
are not getting invoked if the EJB is a@Stateless
Bean - [FISH-5806] Remove JobManager from Payara Server
- [FISH-5723] WebAppClassloader instances are memory leaked
Component Upgrade
- [FISH-6285] Upgrade Jersey to 2.36