I'll apply the fix today, but please note that getting a release out depends on the Java EE API vote I just bumped on the dev@ list here this morning.
Jon On Wed, Mar 11, 2020 at 10:26 AM dkwakkel <[email protected]> wrote: > > FasterXML jackson-databind 2.0.0 through 2.9.10.2 lacks certain > xbean-reflect/JNDI blocking, as demonstrated by > org.apache.xbean.propertyeditor.JndiConverter. > > 8.0.1 ships jackson-databind-2.10.0.jar and xbean-reflect-4.14.jar > > CVE score is 9.8, so can we expect soon TomEE 8.0.2 with this fix in it? > > > > -- > Sent from: > http://tomee-openejb.979440.n4.nabble.com/TomEE-Dev-f982480.html >
