Hi, +1 On Sat, Apr 13, 2024, 15:29 Richard Zowalla <r...@apache.org> wrote:
> Here is my own +1 > > Am Montag, dem 08.04.2024 um 11:33 +0200 schrieb Richard Zowalla: > > Hello everyone, > > > > This is a vote for the release of Apache TomEE 9.1.3 > > > > It contains some version upgrades (cxf, jackson, batchee) and > > security > > backports for the recent Tomcat CVEs. > > > > Here are the hard facts: > > > > ############### > > > > Maven Repo: > > https://repository.apache.org/content/repositories/orgapachetomee-1227/ > > > > <repositories> > > <repository> > > <id>tomee-9.1.3-rc1</id> > > <name>Testing TomEE 9.1.3</name> > > <url> > > https://repository.apache.org/content/repositories/orgapachetomee-1227/ > > </url> > > </repository> > > </repositories> > > > > ############### > > > > Binaries & Source: > > > > https://dist.apache.org/repos/dist/dev/tomee/staging-1227/tomee-9.1.3/ > > > > ############### > > > > Tag: > > > > https://github.com/apache/tomee/releases/tag/tomee-project-9.1.3 > > > > ############### > > > > Release notes: > > > > > https://issues.apache.org/jira/secure/ReleaseNote.jspa?projectId=12312320&version=12354125 > > > > ############### > > > > Here is an adoc generated version of the changelog as well: > > > > == Dependency upgrade > > > > [.compact] > > - link:https://issues.apache.org/jira/browse/TOMEE-4305[TOMEE-4305] > > Backport fix for CVE-2024-23672 for TomEE 9.x > > - link:https://issues.apache.org/jira/browse/TOMEE-4306[TOMEE-4306] > > Backport fix for CVE-2024-24549 for TomEE 9.x > > - link:https://issues.apache.org/jira/browse/TOMEE-4316[TOMEE-4316] > > BatchEE 1.0.4 > > - link:https://issues.apache.org/jira/browse/TOMEE-4290[TOMEE-4290] > > Jackson 2.16.2 > > - link:https://issues.apache.org/jira/browse/TOMEE-4304[TOMEE-4304] > > cxf-core 4.0.4 > > > > == New Feature > > > > [.compact] > > - link:https://issues.apache.org/jira/browse/TOMEE-3902[TOMEE-3902] > > Introduce placeholder replacement to enable MDB activation properties > > to be more customizable > > > > == Bug > > > > [.compact] > > - link:https://issues.apache.org/jira/browse/TOMEE-4295[TOMEE-4295] > > tomee-embedded-maven-plugin does not register microprofile endpoints > > > > > > ############### > > > > Please note: > > > > Grype will report a vulnerability for > > > > apache-mime4j-core 0.8.7 0.8.10 java-archive GHSA-jw7r- > > rxff- > > gv24 Medium > > > > which is shaded inside of "geronimo-mail_2.1_spec-1.0.0-M1.jar". > > > > In it's current version, the dependency is _NOT_ used inside of > > geronimo mail impl, so unless you are using the shaded classes > > yourself, we are not affected here. > > There is also another mail thread related to mail. > > > > For signature verification, you can check on the example script here: > > https://gist.github.com/rzo1/9fb1ca0d58e1fc982d596f2a94b10b32 > > > > ############### > > > > Please VOTE > > > > [+1] go ship it > > [+0] meh, don't care > > [-1] stop, there is a ${showstopper} > > > > The VOTE is open for 72h or as long as needed. > > > > Gruß > > Richard > > > > > > P.S. On a personal note: This will be the last TomEE 9.1.x release I > > will be working on (no backports from my side anymore). I decided to > > invest my volunteer time in TomEE 10+ only. If someone else wants to > > maintain the 9.x line, I am happy to review related PRs. > >
