Bumping this one up - this addresses a CVE (CVE-2019-13990 - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-13990), and it would be good to release unless there are issues with it.
Thanks Jon On Mon, Sep 9, 2019 at 4:58 PM Jean-Louis Monteiro <[email protected]> wrote: > Looks good. > +1 > -- > Jean-Louis Monteiro > http://twitter.com/jlouismonteiro > http://www.tomitribe.com > > > On Sun, Sep 8, 2019 at 10:26 PM Jonathan Gallimore < > [email protected]> wrote: > > > Hi > > > > This is a vote for releasing an updated quartz-openejb-shade jar. This is > > used by OpenEJB core to provide EJB timer services. We shade quartz to > > avoid conflicts if users provide it in their applications themselves. > > Quartz itself was vulnerable to an External XML Entity Processing issue > > (XXE), and in turn, so is our shaded version. This release shades an up > to > > date Quartz package with the XXE fixed. > > > > *Sources* > > > > > https://repository.apache.org/content/repositories/orgapachetomee-1144/org/apache/openejb/shade/quartz-openejb-shade/2.2.4/quartz-openejb-shade-2.2.4-source-release.zip > > > > *Binary* > > > > > https://repository.apache.org/content/repositories/orgapachetomee-1144/org/apache/openejb/shade/quartz-openejb-shade/2.2.4/quartz-openejb-shade-2.2.4.jar > > > > *Change* > > https://issues.apache.org/jira/browse/TOMEE-2672 (still open as the > update > > in TomEE will refer to this as well). > > > > Please VOTE > > [+1] all fine, ship it > > [+0] don't care > > [-1] stop, because ${reason} > > > > The VOTE is open for 72h. > > > > Many thanks > > > > Jon > > >
