7.1.1
Eclipse GlassFish is an application server, implementing Jakarta EE. This release is corresponding with the Jakarta EE 10 specification, which is a major feature release. Jakarta EE 10 requires JDK 11 as a minimum, but also officially works on JDK 17 and JDK 21.
GlassFish 7.1.0 is a final release, containing final Jakarta EE 10 APIs. It compiles and runs on JDK 17 to JDK 25.
Since version 7.1.1, the GlassFish 7.1.x branch is in active maintenance mode, getting applicable fixes and improvements from the main branch, while active development focuses on the main GlassFish 8.x branch.
Release overview
This update fixes known vulnerabilities and some regressions introduced in GlassFish 7.1.0. It backports most of the applicable fixes and improvements from GlassFish 8.0.2 and some from 8.0.3, including the fix of a memory leak in Jersey and a performance improvement for Jakarta Faces rendering.
What's Changed
Security Fixes
- Fixes CVE-2026-2586 9.1 CRITICAL - A critical Remote Code Execution (RCE) vulnerability in Admin Console
- Fixes CVE-2026-2587 9.6 CRITICAL - An authenticated Remote Code Execution (RCE) vulnerability in Admin Console
- Fixes CVE-2020-27511 - HIGH, 7.5 - Upgrade Woodstock to 6.0.3 with a security fix for prototype
- Not exploitable by CVE-2022-46337 CRITICAL, 9.8. GlassFish not affected because bundled Derby DB does not authenticate database users via LDAP
Improvements
- Cache isInterceptor per deployment and streamline WeldUtils.isValidAnnotation (port to 7.x) by @OndroMih in #26084
- Fixed stopping domain - we have to bound to 4848 before we ask server to stop by @dmatej in #25827
- Extract console-mail-plugin and add button "send test email" by @bvfalcon in #25997
Bug Fixes
- Backport medium priority fixes from main to 7.x by @OndroMih in #26094
- Backport low priority fixes from main to 7.x by @OndroMih in #26095
- Fix create-domain with a custom master password (Backport 7.x) by @OndroMih #26087
Component Upgrades
- Bump eclipselink from 4.0.8 to 4.0.9 by @pzygielo in #25860
- Bump Mojarra from 4.0.12 to 4.0.13 by @pzygielo in #25862
- Bump JUnit from 5.14.0 to 5.14.1 by @pzygielo in #25863
- Bump Tyrus from 2.1.5 to 2.1.6 by @pzygielo in #25864
- Bump helidon-microprofile-config from 3.2.15 to 3.2.16 by @pzygielo in #25865
- Bump com.fasterxml:classmate from 1.7.1 to 1.7.2 by @pzygielo in #25866
- Bump com.fasterxml.jackson* from 2.20.0 to 2.20.1 by @pzygielo in #25867
- Bump com.github.mwiede:jsch from 2.27.3 to 2.27.7 by @pzygielo in #25868
- Upgrade JSF templating to 4.0.5 (7.x) by @OndroMih in #26066
- Upgrade Mojarra to 4.0.15 (7.x branch) by @OndroMih in #26072
- Upgrade Jersey to 3.1.12 (7.x) by @OndroMih in #26083
- (7.x) Upgrade Woodstock to 6.0.3 with a security fix for prototype by @OndroMih in #26076
Maintenance
- Fixed URLS to TCK by @dmatej in #25824
- Explicit version of o.g.hk2:osgiversion-m-p by @pzygielo in #25821
- Fix MP TCK arquillian override by @arjantijms in #25828
- Fix JWT TCK not running fully on non-default base URL by @arjantijms in #25829
- Updated Faces TCK by @dmatej in #25816
- Update PR target trigger spec by @pzygielo in #25858
- Updated links to refer Java 17 by @dmatej in #25891
- Actualize links to documentation by @bvfalcon in #25994
- Merge of 7.0.26 to 7.x by @dmatej in #26131
Full Changelog: 7.1.0...7.1.1