No-one's objected, so I'll push an update to quartz-openejb-shade, and if its looking ok, I'll call a vote so its released and we can use the update in TomEE.
Jon On Fri, Aug 30, 2019 at 3:40 PM Jonathan Gallimore < [email protected]> wrote: > I forgot - here's the link to the actual issue in Quartz: > https://github.com/quartz-scheduler/quartz/issues/467. The XML parser > isn't well configured, which leaves it potentially vulnerable to XXE > attacks from malicious XML input. > > Jon > > On Fri, Aug 30, 2019 at 3:38 PM Jonathan Gallimore < > [email protected]> wrote: > >> Hi all, >> >> There's a potential XXE in the quartz package that we shade and use. The >> quartz package itself doesn't appear to be maintained any more, so I have >> forked and pushed binaries with a fix to staging repos at >> oss.sonatype.org. >> >> I intend to update our quartz shade code here: >> https://svn.apache.org/repos/asf/tomee/deps/trunk/quartz-openejb-shade/ to >> use my patched version of quartz. >> >> It unlikely that TomEE as it is is affected by this as we're not driving >> Quartz by passing XML to it, but I think it makes sense to use a patched >> version to mitigate this in case users are calling this code directly in >> their applications. >> >> Are there any objections? >> >> Thanks >> >> Jon >> >
