Hi all, this vote passes with the following +1:
Benedict Eisenkrämer Daniel Dias Dos Santos Alex The Rocker Cesar Hernandez (binding) Jean-Louis Monteiro (binding) Richard Zowalla (binding) I'll proceed with the steps. Gruß Richard Am Donnerstag, dem 12.10.2023 um 14:58 +0200 schrieb Richard Zowalla: > Hi all, > > this is a vote for a release of Apache TomEE 9.1.1. > > It is a maintenance release with dependencies > upgrades and bug fixes. The most notible change is dropping our own > cxf-shade in favour of CXF 4.0.3 > > It also fixes the latest Tomcat vulnerabilities by backporting and > patching Tomcat inside the TomEE 9 build. > > This release still passes the full EE9.1 TCK (thx to Jean-Louis & Jon > for triggering the builds) as well as the MP 5.0 TCK. > > ############### > > Maven Repo: > https://repository.apache.org/content/repositories/orgapachetomee-1220/ > > <repositories> > <repository> > <id>tomee-9.1.1-rc1</id> > <name>Testing TomEE 9.1.1 RC1</name> > <url> > https://repository.apache.org/content/repositories/orgapachetomee-1220/ > </url> > </repository> > </repositories> > > ############### > > Binaries & Source: > > https://dist.apache.org/repos/dist/dev/tomee/staging-1220/tomee-9.1.1/ > > ############### > > Tag: > > https://github.com/apache/tomee/releases/tag/tomee-project-9.1.1 > > > ############### > > Release notes: > > https://issues.apache.org/jira/secure/ReleaseNote.jspa?projectId=12312320&version=12353331 > > ############### > > Here is an adoc generated version of the changelog as well: > > > == Dependency upgrade > > [.compact] > - link:https://issues.apache.org/jira/browse/TOMEE-4246[TOMEE-4246] > ActiveMQ 5.18.2 > - link:https://issues.apache.org/jira/browse/TOMEE-4230[TOMEE-4230] > Backport fix for CVE-2023-34981 > - link:https://issues.apache.org/jira/browse/TOMEE-4239[TOMEE-4239] > Backport fix for CVE-2023-41080 > - link:https://issues.apache.org/jira/browse/TOMEE-4235[TOMEE-4235] > Bouncy Castle 1.75 > - link:https://issues.apache.org/jira/browse/TOMEE-4243[TOMEE-4243] > Bouncy Castle 1.76 > - link:https://issues.apache.org/jira/browse/TOMEE-4139[TOMEE-4139] > CXF 4.0.3 (jakarta namespace) > - link:https://issues.apache.org/jira/browse/TOMEE-4247[TOMEE-4247] > Hibernate 6.1.7 > - link:https://issues.apache.org/jira/browse/TOMEE-4227[TOMEE-4227] > Jackson 2.15.2 > - link:https://issues.apache.org/jira/browse/TOMEE-4228[TOMEE-4228] > Johnzon 1.2.21 > - link:https://issues.apache.org/jira/browse/TOMEE-4248[TOMEE-4248] > Mojarra 3.0.5 > - link:https://issues.apache.org/jira/browse/TOMEE-4254[TOMEE-4254] > Port fix for CVE-2023-42795 > - link:https://issues.apache.org/jira/browse/TOMEE-4255[TOMEE-4255] > Port fix for CVE-2023-44487 > - link:https://issues.apache.org/jira/browse/TOMEE-4256[TOMEE-4256] > Port fix for CVE-2023-45648 > - link:https://issues.apache.org/jira/browse/TOMEE-4249[TOMEE-4249] > SnakeYAML 2.2 > - link:https://issues.apache.org/jira/browse/TOMEE-4250[TOMEE-4250] > WSS4J 3.0.1 > - link:https://issues.apache.org/jira/browse/TOMEE-4232[TOMEE-4232] > bcprov-jdk15to18-1.74.jar > - link:https://issues.apache.org/jira/browse/TOMEE-4251[TOMEE-4251] > xmlsec 3.0.2 > > == Bug > > [.compact] > - link:https://issues.apache.org/jira/browse/TOMEE-4222[TOMEE-4222] > @LoginToContinue JSR-375 (JavaEE Security API) causes > IllegalArgumentException > - link:https://issues.apache.org/jira/browse/TOMEE-4225[TOMEE-4225] > Remove commons-net from TomEE distribution > - link:https://issues.apache.org/jira/browse/TOMEE-4226[TOMEE-4226] > DataSource definition fails when @DataSourceDefinition doesn't define > url property > > == Improvement > > [.compact] > - link:https://issues.apache.org/jira/browse/TOMEE-4031[TOMEE-4031] > Improve TomEE Jmx Mbean Support for Parameter Names > > == Fixed Common Vulnerabilities and Exposures (CVEs) > > [.compact] > - link:https://issues.apache.org/jira/browse/TOMEE-4230[TOMEE-4230] > Backport fix for CVE-2023-34981 > - link:https://issues.apache.org/jira/browse/TOMEE-4239[TOMEE-4239] > Backport fix for CVE-2023-41080 > - link:https://issues.apache.org/jira/browse/TOMEE-4254[TOMEE-4254] > Port fix for CVE-2023-42795 > - link:https://issues.apache.org/jira/browse/TOMEE-4255[TOMEE-4255] > Port fix for CVE-2023-44487 > - link:https://issues.apache.org/jira/browse/TOMEE-4256[TOMEE-4256] > Port fix for CVE-2023-45648 > - link:https://issues.apache.org/jira/browse/TOMEE-4227[TOMEE-4227] > Jackson 2.15.2 > > > ############### > > Here is the dependency diff from 9.1.0 to 9.1.1 created with our > release tools: > > > artifactId from to > ------------------------------- -------- -------- > jackson-annotations 2.15.1 2.15.2 > jackson-core 2.15.1 2.15.2 > jackson-databind 2.15.1 2.15.2 > jackson-dataformat-yaml 2.15.1 2.15.2 > java-support 8.3.1 8.4.0 > activemq-client-jakarta 5.18.1 5.18.2 > activemq-jdbc-store 5.18.1 5.18.2 > johnzon-core 1.2.20 1.2.21 > johnzon-jaxrs 1.2.20 1.2.21 > johnzon-jsonb 1.2.20 1.2.21 > johnzon-jsonp-strict 1.2.20 1.2.21 > johnzon-mapper 1.2.20 1.2.21 > xmlsec 3.0.1 3.0.2 > activemq-broker-shade 9.1.0 9.1.1 > activemq-kahadb-store-shade 9.1.0 9.1.1 > activemq-ra-shade 9.1.0 9.1.1 > commons-dbcp2-shade 9.1.0 9.1.1 > servicemix-bcel-shade 9.1.0 9.1.1 > sxc-shade 9.1.0 9.1.1 > taglibs-shade 9.1.0 9.1.1 > tomee-bootstrap 9.1.0 9.1.1 > xmlschema-core 2.2.5 2.3.1 > wss4j-bindings 3.0.0 3.0.1 > wss4j-policy 3.0.0 3.0.1 > wss4j-ws-security-common 3.0.0 3.0.1 > wss4j-ws-security-dom 3.0.0 3.0.1 > wss4j-ws-security-policy-stax 3.0.0 3.0.1 > wss4j-ws-security-stax 3.0.0 3.0.1 > bcpkix-jdk15to18 1.73 1.76 > bcprov-jdk15to18 1.73 1.76 > bcutil-jdk15to18 1.73 1.76 > jakarta.faces 3.0.2 3.0.5 > stax-ex 1.8.3 2.0.1 > opensaml-core 4.2.0 4.3.0 > opensaml-profile-api 4.2.0 4.3.0 > opensaml-saml-api 4.2.0 4.3.0 > opensaml-saml-impl 4.2.0 4.3.0 > opensaml-security-api 4.2.0 4.3.0 > opensaml-security-impl 4.2.0 4.3.0 > opensaml-soap-api 4.2.0 4.3.0 > opensaml-xacml-api 4.2.0 4.3.0 > opensaml-xacml-impl 4.2.0 4.3.0 > opensaml-xacml-saml-api 4.2.0 4.3.0 > opensaml-xacml-saml-impl 4.2.0 4.3.0 > opensaml-xmlsec-api 4.2.0 4.3.0 > opensaml-xmlsec-impl 4.2.0 4.3.0 > asm 9.3 9.5 > reactive-streams 1.0.3 1.0.4 > snakeyaml 2.0 2.2 > > > ############### > > Please VOTE > > [+1] go ship it > [+0] meh, don't care > [-1] stop, there is a ${showstopper} > > The VOTE is open for 72h or as long as needed. > > Gruß > Richard