No objection on my side, as long as OAuth2 support works with Eclipse Mail 1.6. (but if there's no hurry for this one, then I'm more interested in AMQ upgrade previously mentionned)
Alex Le dim. 31 mars 2024 à 21:54, Richard Zowalla <rich...@zowalla.com> a écrit : > > Hi all, > > I was looking in more depth into the mime4j cve reported by grype for 9.1.x > and 10.0.x - the spec jar contains a shade of mime4j but doesn't use anything > of it. > > After going down the rabbit hole (just a bit) and chatting with Romain, we > noticed, that mail spec 1.5 was created from a version of 1.4, which missed a > few fixes (which introduced mime4j and fixed things in the mime type spec > part). > This is the reason for mime4j not being used in the spec since 1.5+. 1.6 was > created from 1.5 and the current 2.1 from 1.6. > > Since TomEE switched to Eclipse specs (for most APIs), I am wondering, if we > want to switch to Eclipse Mail + Impl and drop Geronimo Mail in TomEE? > > Alternative would be to diff Geronimo Mail 1.4 vs 1.6, see the functional > difference regarding the mime type bugs fixed and port that to 2.1. > > Not an actual blocker but something we should consider in the long run. > > Thoughts? > > Gruß > Richard