Hello,

[+1] (non-binding) tested TomEE+ 10.0.1 RC2 with my web apps running
with IBM Semeru 21.0.5 on RedHat Linux 8, involving uses of Servlets,
JAX-RS, JAX-XML, CDI, JMS and Websockets, and found no regression.

On a side note, I was quite happy to see
https://nvd.nist.gov/vuln/detail/CVE-2025-2240 fixed in this RC, but I
feel that TomEE's releases notes are not "making justice" to the value
of such TomEE patch release given the many CVEs fixes since 10.0.1 (I
had to search TOMEE' s JIRA to find that this later CVE is fixed
though this dependency update:
https://issues.apache.org/jira/browse/TOMEE-4466?jql=text%20~%20%22CVE-2025-2240%22)

=> May I suggest TomEE's release notes to recap all CVEs fixed since
last released version ? for Tomcat, they have this
https://tomcat.apache.org/security.html page giving an overview of
fixed vulnerabilities, but we don't have to copy that : if only
release notes could provide list of fixed CVEs, then I guess that
would make life easier to all who care about this.

(my 2 cents)

Thanks,
Alex

Le jeu. 20 mars 2025 à 14:33, Richard Zowalla <r...@apache.org> a écrit :
>
> Hi everyone,
>
> We're calling a new vote on TomEE 10.0.1, which targets Jakarta EE 10 and 
> MicroProfile 6.0.
>
> This release includes bug fixes for user-reported issues in bval and mojarra, 
> along with other improvements—one of which resolves a problem that rendered 
> the BOMs ineffective without an exclusion.
> We fixed some issues in the embedded area as well and included the latest 
> versions of our dependencies including some CVE fixes (like in Tomcat).
>
> Here are the hard facts:
>
> ###############
>
> Maven Repo:
> https://repository.apache.org/content/repositories/orgapachetomee-1234
>
> <repositories>
> <repository>
> <id>tomee-10.0.1</id>
> <name>Testing TomEE 10.0.1</name>
> <url>
> https://repository.apache.org/content/repositories/orgapachetomee-1234
> </url>
> </repository>
> </repositories>
>
> ###############
>
> Binaries & Source:
>
> https://dist.apache.org/repos/dist/dev/tomee/staging-1234/tomee-10.0.1/
>
> ###############
>
> Tag:
>
> https://github.com/apache/tomee/releases/tag/tomee-project-10.0.1
>
> Hash:
>
> 54079bef6dcfe255342d4adba97837d1c059347a
>
>
> ###############
>
> Release note
>
> https://issues.apache.org/jira/secure/ReleaseNote.jspa?projectId=12312320&version=12355520
>
> Here is the plain text version:
>
> == Dependency upgrade
>
> [.compact]
>  - link:https://issues.apache.org/jira/browse/TOMEE-4446[TOMEE-4446] AMQ 6.1.5
>  - link:https://issues.apache.org/jira/browse/TOMEE-4467[TOMEE-4467] ActiveMQ 
> 6.1.6
>  - link:https://issues.apache.org/jira/browse/TOMEE-4464[TOMEE-4464] CXF 4.1.1
>  - link:https://issues.apache.org/jira/browse/TOMEE-4451[TOMEE-4451] Commons 
> Codec 1.18.0
>  - link:https://issues.apache.org/jira/browse/TOMEE-4453[TOMEE-4453] Commons 
> Logging 1.3.5
>  - link:https://issues.apache.org/jira/browse/TOMEE-4441[TOMEE-4441] 
> EclipseLink 4.0.5
>  - link:https://issues.apache.org/jira/browse/TOMEE-4461[TOMEE-4461] Jackson 
> 2.18.3
>  - link:https://issues.apache.org/jira/browse/TOMEE-4455[TOMEE-4455] MP 
> Config Impl 3.11.2
>  - link:https://issues.apache.org/jira/browse/TOMEE-4463[TOMEE-4463] Mojarra 
> 4.0.11
>  - link:https://issues.apache.org/jira/browse/TOMEE-4442[TOMEE-4442] Quartz 
> Shade 2.5.0
>  - link:https://issues.apache.org/jira/browse/TOMEE-4468[TOMEE-4468] Smallrye 
> MP Config Impl 3.12.3
>  - link:https://issues.apache.org/jira/browse/TOMEE-4462[TOMEE-4462] Tomcat 
> 10.1.39
>  - link:https://issues.apache.org/jira/browse/TOMEE-4440[TOMEE-4440] 
> arquillian-tomee-embedded depends on junit 4
>  - link:https://issues.apache.org/jira/browse/TOMEE-4444[TOMEE-4444] commons 
> codec 1.17.2
>  - link:https://issues.apache.org/jira/browse/TOMEE-4452[TOMEE-4452] 
> commons-pool2 2.12.1
>  - link:https://issues.apache.org/jira/browse/TOMEE-4378[TOMEE-4378] 
> geronimo-mail_2.1_spec version 1.0.1
>  - link:https://issues.apache.org/jira/browse/TOMEE-4466[TOMEE-4466] 
> smallrye-fault-tolerance-core 6.4.3
>  - link:https://issues.apache.org/jira/browse/TOMEE-4445[TOMEE-4445] 
> BouncyCastle 1.80
>
> == Bug
>
> [.compact]
>  - link:https://issues.apache.org/jira/browse/TOMEE-4460[TOMEE-4460] Missing 
> service-jar.xml in Serverless Builder and Embedded Scenarios
>  - link:https://issues.apache.org/jira/browse/TOMEE-4447[TOMEE-4447] TomEE 
> incorrectly propagates transaction for CDI Async Events
>  - link:https://issues.apache.org/jira/browse/TOMEE-4450[TOMEE-4450] EL 
> expressions in Jakarta Faces not working with Mojarra
>  - link:https://issues.apache.org/jira/browse/TOMEE-4454[TOMEE-4454] Missing 
> artifact org.apache.tomee:tomee-microprofile-webapp:jar:10.0.0
>  - link:https://issues.apache.org/jira/browse/TOMEE-4459[TOMEE-4459] Running 
> AppComposer with LogLevel.FINE and OpenJPA results in an exception
>
> ###############
>
> For signature verification, you can check on the example script here:
> https://gist.github.com/rzo1/9fb1ca0d58e1fc982d596f2a94b10b32
>
>
> Please VOTE
>
> [+1] go ship it
> [+0] meh, don't care
> [-1] stop, there is a ${showstopper}
>
> The VOTE is open for 72h or as long as needed.
>
> Gruß
> Richard

Reply via email to