Here's my +1. On Wed, Sep 25, 2019 at 1:27 AM David Blevins <[email protected]> wrote:
> +1 > > > -- > David Blevins > http://twitter.com/dblevins > http://www.tomitribe.com > > > On Sep 8, 2019, at 1:26 PM, Jonathan Gallimore < > [email protected]> wrote: > > > > Hi > > > > This is a vote for releasing an updated quartz-openejb-shade jar. This is > > used by OpenEJB core to provide EJB timer services. We shade quartz to > > avoid conflicts if users provide it in their applications themselves. > > Quartz itself was vulnerable to an External XML Entity Processing issue > > (XXE), and in turn, so is our shaded version. This release shades an up > to > > date Quartz package with the XXE fixed. > > > > *Sources* > > > https://repository.apache.org/content/repositories/orgapachetomee-1144/org/apache/openejb/shade/quartz-openejb-shade/2.2.4/quartz-openejb-shade-2.2.4-source-release.zip > > > > *Binary* > > > https://repository.apache.org/content/repositories/orgapachetomee-1144/org/apache/openejb/shade/quartz-openejb-shade/2.2.4/quartz-openejb-shade-2.2.4.jar > > > > *Change* > > https://issues.apache.org/jira/browse/TOMEE-2672 (still open as the > update > > in TomEE will refer to this as well). > > > > Please VOTE > > [+1] all fine, ship it > > [+0] don't care > > [-1] stop, because ${reason} > > > > The VOTE is open for 72h. > > > > Many thanks > > > > Jon > >
