Hi all, I was looking in more depth into the mime4j cve reported by grype for 9.1.x and 10.0.x - the spec jar contains a shade of mime4j but doesn't use anything of it.
After going down the rabbit hole (just a bit) and chatting with Romain, we noticed, that mail spec 1.5 was created from a version of 1.4, which missed a few fixes (which introduced mime4j and fixed things in the mime type spec part). This is the reason for mime4j not being used in the spec since 1.5+. 1.6 was created from 1.5 and the current 2.1 from 1.6. Since TomEE switched to Eclipse specs (for most APIs), I am wondering, if we want to switch to Eclipse Mail + Impl and drop Geronimo Mail in TomEE? Alternative would be to diff Geronimo Mail 1.4 vs 1.6, see the functional difference regarding the mime type bugs fixed and port that to 2.1. Not an actual blocker but something we should consider in the long run. Thoughts? Gruß Richard
