Hello everyone, This is a vote for the release of Apache TomEE 9.1.3
It contains some version upgrades (cxf, jackson, batchee) and security backports for the recent Tomcat CVEs. Here are the hard facts: ############### Maven Repo: https://repository.apache.org/content/repositories/orgapachetomee-1227/ <repositories> <repository> <id>tomee-9.1.3-rc1</id> <name>Testing TomEE 9.1.3</name> <url> https://repository.apache.org/content/repositories/orgapachetomee-1227/ </url> </repository> </repositories> ############### Binaries & Source: https://dist.apache.org/repos/dist/dev/tomee/staging-1227/tomee-9.1.3/ ############### Tag: https://github.com/apache/tomee/releases/tag/tomee-project-9.1.3 ############### Release notes: https://issues.apache.org/jira/secure/ReleaseNote.jspa?projectId=12312320&version=12354125 ############### Here is an adoc generated version of the changelog as well: == Dependency upgrade [.compact] - link:https://issues.apache.org/jira/browse/TOMEE-4305[TOMEE-4305] Backport fix for CVE-2024-23672 for TomEE 9.x - link:https://issues.apache.org/jira/browse/TOMEE-4306[TOMEE-4306] Backport fix for CVE-2024-24549 for TomEE 9.x - link:https://issues.apache.org/jira/browse/TOMEE-4316[TOMEE-4316] BatchEE 1.0.4 - link:https://issues.apache.org/jira/browse/TOMEE-4290[TOMEE-4290] Jackson 2.16.2 - link:https://issues.apache.org/jira/browse/TOMEE-4304[TOMEE-4304] cxf-core 4.0.4 == New Feature [.compact] - link:https://issues.apache.org/jira/browse/TOMEE-3902[TOMEE-3902] Introduce placeholder replacement to enable MDB activation properties to be more customizable == Bug [.compact] - link:https://issues.apache.org/jira/browse/TOMEE-4295[TOMEE-4295] tomee-embedded-maven-plugin does not register microprofile endpoints ############### Please note: Grype will report a vulnerability for apache-mime4j-core 0.8.7 0.8.10 java-archive GHSA-jw7r-rxff- gv24 Medium which is shaded inside of "geronimo-mail_2.1_spec-1.0.0-M1.jar". In it's current version, the dependency is _NOT_ used inside of geronimo mail impl, so unless you are using the shaded classes yourself, we are not affected here. There is also another mail thread related to mail. For signature verification, you can check on the example script here: https://gist.github.com/rzo1/9fb1ca0d58e1fc982d596f2a94b10b32 ############### Please VOTE [+1] go ship it [+0] meh, don't care [-1] stop, there is a ${showstopper} The VOTE is open for 72h or as long as needed. Gruß Richard P.S. On a personal note: This will be the last TomEE 9.1.x release I will be working on (no backports from my side anymore). I decided to invest my volunteer time in TomEE 10+ only. If someone else wants to maintain the 9.x line, I am happy to review related PRs.
