+1 (non-binding) Successfully tested the TomEE 9.1.3 release candidate with TomEE+ with more than 10 different web applications, with both Java 17 and Java 21 as the Java runtime (Java sources have been compiled with a JDK 17) on Linux Redhat 8, and using of these various Jakarta EE 9 features: Servlet, JSP, EJB, CDI, JAX RS, JSON-P, JMS (in some cases with the embedded AMQ and using connection to remote AMQ server in other cases), Websockets, and JavaMail I observed no performance issues, and confirm that CVE fixes and port of TomEE 8's of placeholder support in MDBs.
And special thanks to Richard for having ran this Apache TomEE 9.1.3 vote : I understand the difficulty to keep 9.x versions maintained until 10.x is released (thanks for its M1 milestone too), I hope there will not be too many critical CVEs coming out on 9.x before 10.x is released... Alex Le lun. 8 avr. 2024 à 14:57, Alex The Rocker <alex.m3...@gmail.com> a écrit : > > Thank you very much Richard for this very kind effort ! > I have started some validations with this TomEE 9.1.3 candidate > release, so far so good, but I want to run as many tests as possible > with the broadest possible scope. > I should be able to provide a vote Wednesday this week at most. > > Alex > > Le lun. 8 avr. 2024 à 11:34, Richard Zowalla <r...@apache.org> a écrit : > > > > Hello everyone, > > > > This is a vote for the release of Apache TomEE 9.1.3 > > > > It contains some version upgrades (cxf, jackson, batchee) and security > > backports for the recent Tomcat CVEs. > > > > Here are the hard facts: > > > > ############### > > > > Maven Repo: > > https://repository.apache.org/content/repositories/orgapachetomee-1227/ > > > > <repositories> > > <repository> > > <id>tomee-9.1.3-rc1</id> > > <name>Testing TomEE 9.1.3</name> > > <url> > > https://repository.apache.org/content/repositories/orgapachetomee-1227/ > > </url> > > </repository> > > </repositories> > > > > ############### > > > > Binaries & Source: > > > > https://dist.apache.org/repos/dist/dev/tomee/staging-1227/tomee-9.1.3/ > > > > ############### > > > > Tag: > > > > https://github.com/apache/tomee/releases/tag/tomee-project-9.1.3 > > > > ############### > > > > Release notes: > > > > https://issues.apache.org/jira/secure/ReleaseNote.jspa?projectId=12312320&version=12354125 > > > > ############### > > > > Here is an adoc generated version of the changelog as well: > > > > == Dependency upgrade > > > > [.compact] > > - link:https://issues.apache.org/jira/browse/TOMEE-4305[TOMEE-4305] > > Backport fix for CVE-2024-23672 for TomEE 9.x > > - link:https://issues.apache.org/jira/browse/TOMEE-4306[TOMEE-4306] > > Backport fix for CVE-2024-24549 for TomEE 9.x > > - link:https://issues.apache.org/jira/browse/TOMEE-4316[TOMEE-4316] > > BatchEE 1.0.4 > > - link:https://issues.apache.org/jira/browse/TOMEE-4290[TOMEE-4290] > > Jackson 2.16.2 > > - link:https://issues.apache.org/jira/browse/TOMEE-4304[TOMEE-4304] > > cxf-core 4.0.4 > > > > == New Feature > > > > [.compact] > > - link:https://issues.apache.org/jira/browse/TOMEE-3902[TOMEE-3902] > > Introduce placeholder replacement to enable MDB activation properties > > to be more customizable > > > > == Bug > > > > [.compact] > > - link:https://issues.apache.org/jira/browse/TOMEE-4295[TOMEE-4295] > > tomee-embedded-maven-plugin does not register microprofile endpoints > > > > > > ############### > > > > Please note: > > > > Grype will report a vulnerability for > > > > apache-mime4j-core 0.8.7 0.8.10 java-archive GHSA-jw7r-rxff- > > gv24 Medium > > > > which is shaded inside of "geronimo-mail_2.1_spec-1.0.0-M1.jar". > > > > In it's current version, the dependency is _NOT_ used inside of > > geronimo mail impl, so unless you are using the shaded classes > > yourself, we are not affected here. > > There is also another mail thread related to mail. > > > > For signature verification, you can check on the example script here: > > https://gist.github.com/rzo1/9fb1ca0d58e1fc982d596f2a94b10b32 > > > > ############### > > > > Please VOTE > > > > [+1] go ship it > > [+0] meh, don't care > > [-1] stop, there is a ${showstopper} > > > > The VOTE is open for 72h or as long as needed. > > > > Gruß > > Richard > > > > > > P.S. On a personal note: This will be the last TomEE 9.1.x release I > > will be working on (no backports from my side anymore). I decided to > > invest my volunteer time in TomEE 10+ only. If someone else wants to > > maintain the 9.x line, I am happy to review related PRs.