Hi all, this is a vote for a release of Apache TomEE 9.1.0.
It is a maintenance release with some bug fixes and dependencies upgrades (MicroProfile 5, ActiveMQ, Johnzon, XBean, etc). It also fixes the latest Tomcat vulnerabilities (CVE-2023-28708, CVE- 2023-24998, CVE-2023-28709) by backporting and patching Tomcat inside the TomEE 9 build. ############### Maven Repo: https://repository.apache.org/content/repositories/orgapachetomee-1217/ <repositories> <repository> <id>tomee-9.1.0-rc1</id> <name>Testing TomEE 9.1.0 RC1</name> <url> https://repository.apache.org/content/repositories/orgapachetomee-1217/ </url> </repository> </repositories> ############### Binaries & Source: https://dist.apache.org/repos/dist/dev/tomee/staging-1217/tomee-9.1.0/ ############### Tag: https://github.com/apache/tomee/releases/tag/tomee-project-9.1.0 ############### Release notes: https://issues.apache.org/jira/secure/ReleaseNote.jspa?projectId=12312320&version=12353156 ############### Here is an adoc generated version of the changelog as well: == Dependency upgrade [.compact] - link:https://issues.apache.org/jira/browse/TOMEE-4217[TOMEE-4217] Arquillian 1.7.0.Final - link:https://issues.apache.org/jira/browse/TOMEE-4204[TOMEE-4204] Bouncycastle 1.73 - link:https://issues.apache.org/jira/browse/TOMEE-4187[TOMEE-4187] Commons FileUpload 1.5 - link:https://issues.apache.org/jira/browse/TOMEE-4218[TOMEE-4218] HSQLDB 2.7.2 - link:https://issues.apache.org/jira/browse/TOMEE-4221[TOMEE-4221] JUnit 5.9.3 - link:https://issues.apache.org/jira/browse/TOMEE-4212[TOMEE-4212] Jackson 2.15.0 - link:https://issues.apache.org/jira/browse/TOMEE-4216[TOMEE-4216] Jackson 2.15.1 - link:https://issues.apache.org/jira/browse/TOMEE-4208[TOMEE-4208] Johnzon 1.2.20 - link:https://issues.apache.org/jira/browse/TOMEE-4205[TOMEE-4205] Jose4j 0.9.3 - link:https://issues.apache.org/jira/browse/TOMEE-4203[TOMEE-4203] Microprofile Config API 3.0.3, Fault Tolerance Impl 6.2.2, OpenTracing Impl 3.0.3 - link:https://issues.apache.org/jira/browse/TOMEE-4141[TOMEE-4141] SmallRye on 9.x branch - link:https://issues.apache.org/jira/browse/TOMEE-4061[TOMEE-4061] Wrap up updates for TomEE 9.x - link:https://issues.apache.org/jira/browse/TOMEE-4220[TOMEE-4220] log4j 2.20.0 (integration) - link:https://issues.apache.org/jira/browse/TOMEE-4213[TOMEE-4213] snakeyaml version 2.0 mitigate CVE-2022-1471 - link:https://issues.apache.org/jira/browse/TOMEE-4219[TOMEE-4219] xbeans 4.23 == Bug [.compact] - link:https://issues.apache.org/jira/browse/TOMEE-4181[TOMEE-4181] BCProv jar loses its signature during the patch process - link:https://issues.apache.org/jira/browse/TOMEE-4183[TOMEE-4183] TomEE 9.0.0 is not creating service in Windows 10 incompatible software - link:https://issues.apache.org/jira/browse/TOMEE-4189[TOMEE-4189] java.lang.ClassNotFoundException: org.apache.openejb.loader.SystemInstance - link:https://issues.apache.org/jira/browse/TOMEE-4192[TOMEE-4192] ApplicationComposers do not clear GC references on release - link:https://issues.apache.org/jira/browse/TOMEE-4174[TOMEE-4174] Port TOMEE-3779 to 9.x - link:https://issues.apache.org/jira/browse/TOMEE-4199[TOMEE-4199] jakartaee-api with tomcat classifier has too much in it - link:https://issues.apache.org/jira/browse/TOMEE-4112[TOMEE-4112] Performance Regression in bean resolution in EAR files == Improvement [.compact] - link:https://issues.apache.org/jira/browse/TOMEE-4200[TOMEE-4200] Use ActiveMQ client jakarta instead of shading it in TomEE - link:https://issues.apache.org/jira/browse/TOMEE-4202[TOMEE-4202] Backport CVE fixes of Tomcat 10.1.x to 10.0.27 == Task [.compact] - link:https://issues.apache.org/jira/browse/TOMEE-4053[TOMEE-4053] Dependency properties cleanup == Documentation [.compact] - link:https://issues.apache.org/jira/browse/TOMEE-4186[TOMEE-4186] Update download page for discontinued branches == Wish [.compact] - link:https://issues.apache.org/jira/browse/TOMEE-4190[TOMEE-4190] RunWithApplicationComposer should support inheritance == Fixed Common Vulnerabilities and Exposures (CVEs) [.compact] - link:https://issues.apache.org/jira/browse/TOMEE-4187[TOMEE-4187] Commons FileUpload 1.5 - link:https://issues.apache.org/jira/browse/TOMEE-4202[TOMEE-4202] Backport CVE fixes of Tomcat 10.1.x to 10.0.27 ############### Here is the dependency diff from 8.0.14 to 8.0.15 created with our release tools: artifactId from to ------------------------------------------ -------- -------- jackson-annotations 2.14.1 2.15.1 jackson-core 2.14.1 2.15.1 jackson-databind 2.14.1 2.15.1 jackson-dataformat-yaml 2.14.1 2.15.1 mutiny 1.7.0 1.8.0 jandex 3.0.0 3.0.1 smallrye-fault-tolerance 6.0.0 6.2.2 smallrye-fault-tolerance-api 6.0.0 6.2.2 smallrye-fault-tolerance-autoconfig-core 6.0.0 6.2.2 smallrye-fault-tolerance-core 6.0.0 6.2.2 smallrye-health 4.0.0 4.0.1 smallrye-health-api 4.0.0 4.0.1 smallrye-open-api-core 3.0.0 3.0.1 smallrye-open-api-jaxrs 3.0.0 3.0.1 smallrye-opentracing 3.0.0 3.0.3 smallrye-opentracing-contrib 3.0.0 3.0.3 activemq-jdbc-store 5.16.5 5.18.1 johnzon-core 1.2.19 1.2.20 johnzon-jaxrs 1.2.19 1.2.20 johnzon-jsonb 1.2.19 1.2.20 johnzon-jsonp-strict 1.2.19 1.2.20 johnzon-mapper 1.2.19 1.2.20 jakartaee-api 9.1-M2 9.1.1 xbean-asm9-shaded 4.22 4.23 xbean-bundleutils 4.22 4.23 xbean-finder-shaded 4.22 4.23 xbean-naming 4.22 4.23 xbean-reflect 4.22 4.23 jose4j 0.7.9 0.9.3 bcprov-jdk15to18 1.70 1.73 microprofile-config-api 3.0.2 3.0.3 hsqldb 2.7.1 2.7.2 snakeyaml 1.33 2.0 ############### Please VOTE [+1] go ship it [+0] meh, don't care [-1] stop, there is a ${showstopper} The VOTE is open for 72h or as long as needed. Gruß Richard
