Hi all, this is a vote for a release of Apache TomEE 9.1.1.
It is a maintenance release with dependencies upgrades and bug fixes. The most notible change is dropping our own cxf-shade in favour of CXF 4.0.3 It also fixes the latest Tomcat vulnerabilities by backporting and patching Tomcat inside the TomEE 9 build. This release still passes the full EE9.1 TCK (thx to Jean-Louis & Jon for triggering the builds) as well as the MP 5.0 TCK. ############### Maven Repo: https://repository.apache.org/content/repositories/orgapachetomee-1220/ <repositories> <repository> <id>tomee-9.1.1-rc1</id> <name>Testing TomEE 9.1.1 RC1</name> <url> https://repository.apache.org/content/repositories/orgapachetomee-1220/ </url> </repository> </repositories> ############### Binaries & Source: https://dist.apache.org/repos/dist/dev/tomee/staging-1220/tomee-9.1.1/ ############### Tag: https://github.com/apache/tomee/releases/tag/tomee-project-9.1.1 ############### Release notes: https://issues.apache.org/jira/secure/ReleaseNote.jspa?projectId=12312320&version=12353331 ############### Here is an adoc generated version of the changelog as well: == Dependency upgrade [.compact] - link:https://issues.apache.org/jira/browse/TOMEE-4246[TOMEE-4246] ActiveMQ 5.18.2 - link:https://issues.apache.org/jira/browse/TOMEE-4230[TOMEE-4230] Backport fix for CVE-2023-34981 - link:https://issues.apache.org/jira/browse/TOMEE-4239[TOMEE-4239] Backport fix for CVE-2023-41080 - link:https://issues.apache.org/jira/browse/TOMEE-4235[TOMEE-4235] Bouncy Castle 1.75 - link:https://issues.apache.org/jira/browse/TOMEE-4243[TOMEE-4243] Bouncy Castle 1.76 - link:https://issues.apache.org/jira/browse/TOMEE-4139[TOMEE-4139] CXF 4.0.3 (jakarta namespace) - link:https://issues.apache.org/jira/browse/TOMEE-4247[TOMEE-4247] Hibernate 6.1.7 - link:https://issues.apache.org/jira/browse/TOMEE-4227[TOMEE-4227] Jackson 2.15.2 - link:https://issues.apache.org/jira/browse/TOMEE-4228[TOMEE-4228] Johnzon 1.2.21 - link:https://issues.apache.org/jira/browse/TOMEE-4248[TOMEE-4248] Mojarra 3.0.5 - link:https://issues.apache.org/jira/browse/TOMEE-4254[TOMEE-4254] Port fix for CVE-2023-42795 - link:https://issues.apache.org/jira/browse/TOMEE-4255[TOMEE-4255] Port fix for CVE-2023-44487 - link:https://issues.apache.org/jira/browse/TOMEE-4256[TOMEE-4256] Port fix for CVE-2023-45648 - link:https://issues.apache.org/jira/browse/TOMEE-4249[TOMEE-4249] SnakeYAML 2.2 - link:https://issues.apache.org/jira/browse/TOMEE-4250[TOMEE-4250] WSS4J 3.0.1 - link:https://issues.apache.org/jira/browse/TOMEE-4232[TOMEE-4232] bcprov-jdk15to18-1.74.jar - link:https://issues.apache.org/jira/browse/TOMEE-4251[TOMEE-4251] xmlsec 3.0.2 == Bug [.compact] - link:https://issues.apache.org/jira/browse/TOMEE-4222[TOMEE-4222] @LoginToContinue JSR-375 (JavaEE Security API) causes IllegalArgumentException - link:https://issues.apache.org/jira/browse/TOMEE-4225[TOMEE-4225] Remove commons-net from TomEE distribution - link:https://issues.apache.org/jira/browse/TOMEE-4226[TOMEE-4226] DataSource definition fails when @DataSourceDefinition doesn't define url property == Improvement [.compact] - link:https://issues.apache.org/jira/browse/TOMEE-4031[TOMEE-4031] Improve TomEE Jmx Mbean Support for Parameter Names == Fixed Common Vulnerabilities and Exposures (CVEs) [.compact] - link:https://issues.apache.org/jira/browse/TOMEE-4230[TOMEE-4230] Backport fix for CVE-2023-34981 - link:https://issues.apache.org/jira/browse/TOMEE-4239[TOMEE-4239] Backport fix for CVE-2023-41080 - link:https://issues.apache.org/jira/browse/TOMEE-4254[TOMEE-4254] Port fix for CVE-2023-42795 - link:https://issues.apache.org/jira/browse/TOMEE-4255[TOMEE-4255] Port fix for CVE-2023-44487 - link:https://issues.apache.org/jira/browse/TOMEE-4256[TOMEE-4256] Port fix for CVE-2023-45648 - link:https://issues.apache.org/jira/browse/TOMEE-4227[TOMEE-4227] Jackson 2.15.2 ############### Here is the dependency diff from 9.1.0 to 9.1.1 created with our release tools: artifactId from to ------------------------------- -------- -------- jackson-annotations 2.15.1 2.15.2 jackson-core 2.15.1 2.15.2 jackson-databind 2.15.1 2.15.2 jackson-dataformat-yaml 2.15.1 2.15.2 java-support 8.3.1 8.4.0 activemq-client-jakarta 5.18.1 5.18.2 activemq-jdbc-store 5.18.1 5.18.2 johnzon-core 1.2.20 1.2.21 johnzon-jaxrs 1.2.20 1.2.21 johnzon-jsonb 1.2.20 1.2.21 johnzon-jsonp-strict 1.2.20 1.2.21 johnzon-mapper 1.2.20 1.2.21 xmlsec 3.0.1 3.0.2 activemq-broker-shade 9.1.0 9.1.1 activemq-kahadb-store-shade 9.1.0 9.1.1 activemq-ra-shade 9.1.0 9.1.1 commons-dbcp2-shade 9.1.0 9.1.1 servicemix-bcel-shade 9.1.0 9.1.1 sxc-shade 9.1.0 9.1.1 taglibs-shade 9.1.0 9.1.1 tomee-bootstrap 9.1.0 9.1.1 xmlschema-core 2.2.5 2.3.1 wss4j-bindings 3.0.0 3.0.1 wss4j-policy 3.0.0 3.0.1 wss4j-ws-security-common 3.0.0 3.0.1 wss4j-ws-security-dom 3.0.0 3.0.1 wss4j-ws-security-policy-stax 3.0.0 3.0.1 wss4j-ws-security-stax 3.0.0 3.0.1 bcpkix-jdk15to18 1.73 1.76 bcprov-jdk15to18 1.73 1.76 bcutil-jdk15to18 1.73 1.76 jakarta.faces 3.0.2 3.0.5 stax-ex 1.8.3 2.0.1 opensaml-core 4.2.0 4.3.0 opensaml-profile-api 4.2.0 4.3.0 opensaml-saml-api 4.2.0 4.3.0 opensaml-saml-impl 4.2.0 4.3.0 opensaml-security-api 4.2.0 4.3.0 opensaml-security-impl 4.2.0 4.3.0 opensaml-soap-api 4.2.0 4.3.0 opensaml-xacml-api 4.2.0 4.3.0 opensaml-xacml-impl 4.2.0 4.3.0 opensaml-xacml-saml-api 4.2.0 4.3.0 opensaml-xacml-saml-impl 4.2.0 4.3.0 opensaml-xmlsec-api 4.2.0 4.3.0 opensaml-xmlsec-impl 4.2.0 4.3.0 asm 9.3 9.5 reactive-streams 1.0.3 1.0.4 snakeyaml 2.0 2.2 ############### Please VOTE [+1] go ship it [+0] meh, don't care [-1] stop, there is a ${showstopper} The VOTE is open for 72h or as long as needed. Gruß Richard