+1
Thank you!
Frankie
> -----Ursprüngliche Nachricht-----
> Von: Richard Zowalla <r...@apache.org>
> Gesendet: Montag, 8. April 2024 11:34
> An: dev@tomee.apache.org
> Betreff: [VOTE] Apache TomEE 9.1.3
>
> Hello everyone,
>
> This is a vote for the release of Apache TomEE 9.1.3
>
> It contains some version upgrades (cxf, jackson, batchee) and security
> backports for the recent Tomcat CVEs.
>
> Here are the hard facts:
>
> ###############
>
> Maven Repo:
> https://repository.apache.org/content/repositories/orgapachetomee-1227/
>
> <repositories>
> <repository>
> <id>tomee-9.1.3-rc1</id>
> <name>Testing TomEE 9.1.3</name>
> <url>
> https://repository.apache.org/content/repositories/orgapachetomee-1227/
> </url>
> </repository>
> </repositories>
>
> ###############
>
> Binaries & Source:
>
> https://dist.apache.org/repos/dist/dev/tomee/staging-1227/tomee-9.1.3/
>
> ###############
>
> Tag:
>
> https://github.com/apache/tomee/releases/tag/tomee-project-9.1.3
>
> ###############
>
> Release notes:
>
> https://issues.apache.org/jira/secure/ReleaseNote.jspa?projectId=12312320
> &version=12354125
>
> ###############
>
> Here is an adoc generated version of the changelog as well:
>
> == Dependency upgrade
>
> [.compact]
> - link:https://issues.apache.org/jira/browse/TOMEE-4305[TOMEE-4305]
> Backport fix for CVE-2024-23672 for TomEE 9.x
> - link:https://issues.apache.org/jira/browse/TOMEE-4306[TOMEE-4306]
> Backport fix for CVE-2024-24549 for TomEE 9.x
> - link:https://issues.apache.org/jira/browse/TOMEE-4316[TOMEE-4316]
> BatchEE 1.0.4
> - link:https://issues.apache.org/jira/browse/TOMEE-4290[TOMEE-4290]
> Jackson 2.16.2
> - link:https://issues.apache.org/jira/browse/TOMEE-4304[TOMEE-4304]
> cxf-core 4.0.4
>
> == New Feature
>
> [.compact]
> - link:https://issues.apache.org/jira/browse/TOMEE-3902[TOMEE-3902]
> Introduce placeholder replacement to enable MDB activation properties to
> be more customizable
>
> == Bug
>
> [.compact]
> - link:https://issues.apache.org/jira/browse/TOMEE-4295[TOMEE-4295]
> tomee-embedded-maven-plugin does not register microprofile endpoints
>
>
> ###############
>
> Please note:
>
> Grype will report a vulnerability for
>
> apache-mime4j-core 0.8.7 0.8.10 java-archive GHSA-jw7r-rxff-
> gv24 Medium
>
> which is shaded inside of "geronimo-mail_2.1_spec-1.0.0-M1.jar".
>
> In it's current version, the dependency is _NOT_ used inside of geronimo
> mail impl, so unless you are using the shaded classes yourself, we are not
> affected here.
> There is also another mail thread related to mail.
>
> For signature verification, you can check on the example script here:
> https://gist.github.com/rzo1/9fb1ca0d58e1fc982d596f2a94b10b32
>
> ###############
>
> Please VOTE
>
> [+1] go ship it
> [+0] meh, don't care
> [-1] stop, there is a ${showstopper}
>
> The VOTE is open for 72h or as long as needed.
>
> Gruß
> Richard
>
>
> P.S. On a personal note: This will be the last TomEE 9.1.x release I will be
> working on (no backports from my side anymore). I decided to invest my
> volunteer time in TomEE 10+ only. If someone else wants to maintain the 9.x
> line, I am happy to review related PRs.