It was more or less a: if you think there is something additional to look at related to dependencies (CVE or critical bugs), feel free to shout out loud.
Mime4J might be a thing and has already a Jira (If I remember correctly). Boils down to a dependency management on our side but need to check. Gruß Richard Am 29. März 2024 13:07:14 MEZ schrieb Alex The Rocker <[email protected]>: >Hi Richard, > >Maybe not fully answering your request to get dependencies analysis on >lib/, but running latest grype led to this small finding: > >NAME INSTALLED FIXED-IN TYPE VULNERABILITY > SEVERITY >apache-mime4j-core 0.8.7 0.8.10 java-archive >GHSA-jw7r-rxff-gv24 Medium > >The use of apache-mime4j-core comes from: geronimo-mail_2.1_spec-1.0.0-M1.jar > >This vulnerability is accociated to CVE-2024-21742 in Maven central. > >If not trivial to fix in 9.1.3 then I guess its medium severity >doesn't make it vital to update. > >Should I check other dependencies against non-vulnerabilities related criteria >? > >Thanks, >Alex > >Le ven. 29 mars 2024 à 12:44, Richard Zowalla <[email protected]> a écrit : >> >> Hi, >> >> I have nothing against doing a TomEE 9.1.3, which is merely a time >> thing. Doing the actual release preperation, starting the vote, etc. >> takes ~ 30-60min depending on a machine. >> >> If we need to do additional library upgrades, it might take some >> additional time to wait until CI is complete and to fix potential >> issues. Good thing is, that current CI build is happy. >> >> What would help to speed things up: >> >> Are there any additional dependencies we need to update for 9.1.3 ? >> >> If someone can have a quick look into /lib of a 9.1.3-SNAPSHOT, we >> might be able to do the updates quickly and get some CI feedback, so we >> can start with release preperations. >> >> Gruß >> Richard >> >> Am Freitag, dem 29.03.2024 um 11:01 +0100 schrieb Alex The Rocker: >> > Hi there, >> > >> > It's been more than 3 monthes since TomEE 9.1.2 was released. >> > Couples of updates have been delivered in 9.1.3 in-work, including 2 >> > CVE fixes. >> > Wouln't it be a good thing to release a 9.1.3 within coming weeks? >> > >> > (I know we would like to have 10.0.0 asap, but a small patch release >> > on 9.2.x with depdendencies / security fixes could help keeping >> > community users confortable with not too old versions) >> > >> > (my 2 cents ;) >> > >> > Alex >>
