Hi all, There's a potential XXE in the quartz package that we shade and use. The quartz package itself doesn't appear to be maintained any more, so I have forked and pushed binaries with a fix to staging repos at oss.sonatype.org.
I intend to update our quartz shade code here: https://svn.apache.org/repos/asf/tomee/deps/trunk/quartz-openejb-shade/ to use my patched version of quartz. It unlikely that TomEE as it is is affected by this as we're not driving Quartz by passing XML to it, but I think it makes sense to use a patched version to mitigate this in case users are calling this code directly in their applications. Are there any objections? Thanks Jon
