Apache TomEE

Apache TomEE 9.1.1 has been released.

It is a maintenance release with some bug fixes and dependencies upgrades. The most notable change is dropping our own cxf-shade in favour of CXF 4.0.

It fixes the latest Tomcat vulnerabilities by back porting and patching Tomcat inside the TomEE build. This release still passes the EE9.1 TCK as well as the MicroProfile 5.0 TCK.

Dependency upgrade

TOMEE-4246 ActiveMQ 5.18.2
TOMEE-4230 Backport fix for CVE-2023-34981
TOMEE-4239 Backport fix for CVE-2023-41080
TOMEE-4235 Bouncy Castle 1.75
TOMEE-4243 Bouncy Castle 1.76
TOMEE-4139 CXF 4.0.3 (jakarta namespace)
TOMEE-4247 Hibernate 6.1.7
TOMEE-4227 Jackson 2.15.2
TOMEE-4228 Johnzon 1.2.21
TOMEE-4248 Mojarra 3.0.5
TOMEE-4254 Port fix for CVE-2023-42795
TOMEE-4255 Port fix for CVE-2023-44487
TOMEE-4256 Port fix for CVE-2023-45648
TOMEE-4249 SnakeYAML 2.2
TOMEE-4250 WSS4J 3.0.1
TOMEE-4232 bcprov-jdk15to18-1.74.jar
TOMEE-4251 xmlsec 3.0.2

Bug

TOMEE-4222 @LoginToContinue JSR-375 (JavaEE Security API) causes IllegalArgumentException
TOMEE-4225 Remove commons-net from TomEE distribution
TOMEE-4226 DataSource definition fails when @DataSourceDefinition doesn’t define url property

Improvement

TOMEE-4031 Improve TomEE Jmx Mbean Support for Parameter Names

Fixed Common Vulnerabilities and Exposures (CVEs)

TOMEE-4230 Backport fix for CVE-2023-34981
TOMEE-4254 Port fix for CVE-2023-42795
TOMEE-4227 Jackson 2.15.2

Apache TomEE 9.1.1 Release Notes

Dependency upgrade

Bug

Improvement

Fixed Common Vulnerabilities and Exposures (CVEs)