Hi Bruce,
Glad the upgrade went well.
1/ I checked the pom file of the 8.0.5
https://github.com/apache/tomee/blob/tomee-8.0.5/pom.xml#L148
Tomcat seems to be 9.0.39 in there so what you see in the logs is fine.
It probably got added after the release.
https://github.com/apache/tomee/commit/eb2928435685d3e5fb184d0aa945efbfe06f26a4
The day after the release actually.
2/ You are correct I think.
We should upgrade to 2.2.4
Would you like to create the ticket and the PR?
It's fairly simple and would be awesome to have you fix it.
If not, lemme know and I can do it.
--
Jean-Louis Monteiro
http://twitter.com/jlouismonteiro
http://www.tomitribe.com
On Fri, Dec 18, 2020 at 6:17 AM Bruce Heavey wrote:
> Hi,
>
>
>
> We've recently upgraded from TomEE 1.7.5 up to TomEE 8.0.5 which has been
> a pretty smooth transition for us, but and I'm a bit puzzled by 2 things:
>
>
> 1. The list of changes in 8.0.5 (
> https://github.com/apache/tomee/compare/tomee-8.0.5...master) indicates
> the version of Tomcat has bumped up to 9.0.40, but when my TomEE 8.0.5
> starts up it looks like it's still using 9.0.39: "Server version name:
> Apache Tomcat (TomEE)/9.0.39 (8.0.5)".
>
> 2. Really happy to see CVE-2019-13990 addressed in TOMEE-2672 (
> https://issues.apache.org/jira/browse/TOMEE-2672). But TomEE 8.0.5 still
> seems to be shipping the old jar file not the new one with the fix in it.
> https://github.com/apache/tomee/blob/master/pom.xml should the version of
> quartz-openejb-shade have been bumped up to 2.2.4 when TOMEE-2672 was
> fixed? In our local build we're currently replacing the old jar file with
> the new jar file to address the issue.
>
>
>
> Thanks in advance,
>
> Bruce
>
