+1 (non-binding) Thanks, Martin --
> Am 08.04.2024 um 11:33 schrieb Richard Zowalla <r...@apache.org>: > > Hello everyone, > > This is a vote for the release of Apache TomEE 9.1.3 > > It contains some version upgrades (cxf, jackson, batchee) and security > backports for the recent Tomcat CVEs. > > Here are the hard facts: > > ############### > > Maven Repo: > https://repository.apache.org/content/repositories/orgapachetomee-1227/ > > <repositories> > <repository> > <id>tomee-9.1.3-rc1</id> > <name>Testing TomEE 9.1.3</name> > <url> > https://repository.apache.org/content/repositories/orgapachetomee-1227/ > </url> > </repository> > </repositories> > > ############### > > Binaries & Source: > > https://dist.apache.org/repos/dist/dev/tomee/staging-1227/tomee-9.1.3/ > > ############### > > Tag: > > https://github.com/apache/tomee/releases/tag/tomee-project-9.1.3 > > ############### > > Release notes: > > https://issues.apache.org/jira/secure/ReleaseNote.jspa?projectId=12312320&version=12354125 > > ############### > > Here is an adoc generated version of the changelog as well: > > == Dependency upgrade > > [.compact] > - link:https://issues.apache.org/jira/browse/TOMEE-4305[TOMEE-4305] > Backport fix for CVE-2024-23672 for TomEE 9.x > - link:https://issues.apache.org/jira/browse/TOMEE-4306[TOMEE-4306] > Backport fix for CVE-2024-24549 for TomEE 9.x > - link:https://issues.apache.org/jira/browse/TOMEE-4316[TOMEE-4316] > BatchEE 1.0.4 > - link:https://issues.apache.org/jira/browse/TOMEE-4290[TOMEE-4290] > Jackson 2.16.2 > - link:https://issues.apache.org/jira/browse/TOMEE-4304[TOMEE-4304] > cxf-core 4.0.4 > > == New Feature > > [.compact] > - link:https://issues.apache.org/jira/browse/TOMEE-3902[TOMEE-3902] > Introduce placeholder replacement to enable MDB activation properties > to be more customizable > > == Bug > > [.compact] > - link:https://issues.apache.org/jira/browse/TOMEE-4295[TOMEE-4295] > tomee-embedded-maven-plugin does not register microprofile endpoints > > > ############### > > Please note: > > Grype will report a vulnerability for > > apache-mime4j-core 0.8.7 0.8.10 java-archive GHSA-jw7r-rxff- > gv24 Medium > > which is shaded inside of "geronimo-mail_2.1_spec-1.0.0-M1.jar". > > In it's current version, the dependency is _NOT_ used inside of > geronimo mail impl, so unless you are using the shaded classes > yourself, we are not affected here. > There is also another mail thread related to mail. > > For signature verification, you can check on the example script here: > https://gist.github.com/rzo1/9fb1ca0d58e1fc982d596f2a94b10b32 > > ############### > > Please VOTE > > [+1] go ship it > [+0] meh, don't care > [-1] stop, there is a ${showstopper} > > The VOTE is open for 72h or as long as needed. > > Gruß > Richard > > > P.S. On a personal note: This will be the last TomEE 9.1.x release I > will be working on (no backports from my side anymore). I decided to > invest my volunteer time in TomEE 10+ only. If someone else wants to > maintain the 9.x line, I am happy to review related PRs.
