Hi,
We've recently upgraded from TomEE 1.7.5 up to TomEE 8.0.5 which has been a pretty smooth transition for us, but and I'm a bit puzzled by 2 things: 1. The list of changes in 8.0.5 (https://github.com/apache/tomee/compare/tomee-8.0.5...master) indicates the version of Tomcat has bumped up to 9.0.40, but when my TomEE 8.0.5 starts up it looks like it's still using 9.0.39: "Server version name: Apache Tomcat (TomEE)/9.0.39 (8.0.5)". 2. Really happy to see CVE-2019-13990 addressed in TOMEE-2672 (https://issues.apache.org/jira/browse/TOMEE-2672). But TomEE 8.0.5 still seems to be shipping the old jar file not the new one with the fix in it. https://github.com/apache/tomee/blob/master/pom.xml should the version of quartz-openejb-shade have been bumped up to 2.2.4 when TOMEE-2672 was fixed? In our local build we're currently replacing the old jar file with the new jar file to address the issue. Thanks in advance, Bruce
