I don’t really feel comfortable making contributions yet sorry - better to leave that to the experts!
But I’m happy to raise the JIRA ticket, I've created TOMEE 2947 for this, cheers! https://issues.apache.org/jira/browse/TOMEE-2947 -----Original Message----- From: Jean-Louis Monteiro <[email protected]> Sent: Friday, 18 December 2020 6:11 PM To: [email protected] Subject: Re: TomEE 8.0.5 tomcat/quartz-openejb-shade dependency versions Hi Bruce, Glad the upgrade went well. 1/ I checked the pom file of the 8.0.5 https://github.com/apache/tomee/blob/tomee-8.0.5/pom.xml#L148 Tomcat seems to be 9.0.39 in there so what you see in the logs is fine. It probably got added after the release. https://github.com/apache/tomee/commit/eb2928435685d3e5fb184d0aa945efbfe06f26a4 The day after the release actually. 2/ You are correct I think. We should upgrade to 2.2.4 Would you like to create the ticket and the PR? It's fairly simple and would be awesome to have you fix it. If not, lemme know and I can do it. -- Jean-Louis Monteiro http://twitter.com/jlouismonteiro http://www.tomitribe.com On Fri, Dec 18, 2020 at 6:17 AM Bruce Heavey <[email protected]> wrote: > Hi, > > > > We've recently upgraded from TomEE 1.7.5 up to TomEE 8.0.5 which has > been a pretty smooth transition for us, but and I'm a bit puzzled by 2 things: > > > 1. The list of changes in 8.0.5 ( > https://github.com/apache/tomee/compare/tomee-8.0.5...master) > indicates the version of Tomcat has bumped up to 9.0.40, but when my > TomEE 8.0.5 starts up it looks like it's still using 9.0.39: "Server version > name: > Apache Tomcat (TomEE)/9.0.39 (8.0.5)". > > 2. Really happy to see CVE-2019-13990 addressed in TOMEE-2672 ( > https://issues.apache.org/jira/browse/TOMEE-2672). But TomEE 8.0.5 > still seems to be shipping the old jar file not the new one with the fix in > it. > https://github.com/apache/tomee/blob/master/pom.xml should the version > of quartz-openejb-shade have been bumped up to 2.2.4 when TOMEE-2672 > was fixed? In our local build we're currently replacing the old jar > file with the new jar file to address the issue. > > > > Thanks in advance, > > Bruce >
