FYI: apache-mime4j-core is a shaded dependency of the Jakarta Mail spec
jar inside of Geronimo Mail. I did a quick search in IDE and it's code
doesn't seem to be actually used, so no big deal here (aside from
confusing vulnerability scanners). 

Am Freitag, dem 29.03.2024 um 13:07 +0100 schrieb Alex The Rocker:
> Hi Richard,
> 
> Maybe not fully answering your request to get dependencies analysis
> on
> lib/, but running latest grype led to this small finding:
> 
> NAME                INSTALLED  FIXED-IN  TYPE          VULNERABILITY
>      SEVERITY
> apache-mime4j-core  0.8.7      0.8.10    java-archive
> GHSA-jw7r-rxff-gv24  Medium
> 
> The use of apache-mime4j-core comes from: geronimo-mail_2.1_spec-
> 1.0.0-M1.jar
> 
> This vulnerability is accociated to CVE-2024-21742 in Maven central.
> 
> If not trivial to fix in 9.1.3 then I guess its medium severity
> doesn't make it vital to update.
> 
> Should I check other dependencies against non-vulnerabilities related
> criteria ?
> 
> Thanks,
> Alex
> 
> Le ven. 29 mars 2024 à 12:44, Richard Zowalla <r...@apache.org> a
> écrit :
> > 
> > Hi,
> > 
> > I have nothing against doing a TomEE 9.1.3, which is merely a time
> > thing. Doing the actual release preperation, starting the vote,
> > etc.
> > takes ~ 30-60min depending on a machine.
> > 
> > If we need to do additional library upgrades, it might take some
> > additional time to wait until CI is complete and to fix potential
> > issues. Good thing is, that current CI build is happy.
> > 
> > What would help to speed things up:
> > 
> > Are there any additional dependencies we need to update for 9.1.3 ?
> > 
> > If someone can have a quick look into /lib of a 9.1.3-SNAPSHOT, we
> > might be able to do the updates quickly and get some CI feedback,
> > so we
> > can start with release preperations.
> > 
> > Gruß
> > Richard
> > 
> > Am Freitag, dem 29.03.2024 um 11:01 +0100 schrieb Alex The Rocker:
> > > Hi there,
> > > 
> > > It's been more than 3 monthes since TomEE 9.1.2 was released.
> > > Couples of updates have been delivered in 9.1.3 in-work,
> > > including 2
> > > CVE fixes.
> > > Wouln't it be a good thing to release a 9.1.3 within coming
> > > weeks?
> > > 
> > > (I know we would like to have 10.0.0 asap, but a small patch
> > > release
> > > on 9.2.x with depdendencies / security fixes could help keeping
> > > community users confortable with not too old versions)
> > > 
> > > (my 2 cents ;)
> > > 
> > > Alex
> > 

Reply via email to