Hi This is a vote for releasing an updated quartz-openejb-shade jar. This is used by OpenEJB core to provide EJB timer services. We shade quartz to avoid conflicts if users provide it in their applications themselves. Quartz itself was vulnerable to an External XML Entity Processing issue (XXE), and in turn, so is our shaded version. This release shades an up to date Quartz package with the XXE fixed.
*Sources* https://repository.apache.org/content/repositories/orgapachetomee-1144/org/apache/openejb/shade/quartz-openejb-shade/2.2.4/quartz-openejb-shade-2.2.4-source-release.zip *Binary* https://repository.apache.org/content/repositories/orgapachetomee-1144/org/apache/openejb/shade/quartz-openejb-shade/2.2.4/quartz-openejb-shade-2.2.4.jar *Change* https://issues.apache.org/jira/browse/TOMEE-2672 (still open as the update in TomEE will refer to this as well). Please VOTE [+1] all fine, ship it [+0] don't care [-1] stop, because ${reason} The VOTE is open for 72h. Many thanks Jon