TomEE 8.0.5 tomcat/quartz-openejb-shade dependency versions

> Hi,
>
>
>
> We've recently upgraded from TomEE 1.7.5 up to TomEE 8.0.5 which has been
> a pretty smooth transition for us, but and I'm a bit puzzled by 2 things:
>
>
> 1.       The list of changes in 8.0.5 (
> https://github.com/apache/tomee/compare/tomee-8.0.5...master) indicates
> the version of Tomcat has bumped up to 9.0.40, but when my TomEE 8.0.5
> starts up it looks like it's still using 9.0.39: "Server version name:
>  Apache Tomcat (TomEE)/9.0.39 (8.0.5)".
>
> 2.       Really happy to see CVE-2019-13990  addressed in TOMEE-2672 (
> https://issues.apache.org/jira/browse/TOMEE-2672). But TomEE 8.0.5 still
> seems to be shipping the old jar file not the new one with the fix in it.
> https://github.com/apache/tomee/blob/master/pom.xml should the version of
> quartz-openejb-shade have been bumped up to 2.2.4 when TOMEE-2672 was
> fixed? In our local build we're currently replacing the old jar file with
> the new jar file to address the issue.
>
>
>
> Thanks in advance,
>
> Bruce
>

> Hi,
>
>
>
> We've recently upgraded from TomEE 1.7.5 up to TomEE 8.0.5 which has
> been a pretty smooth transition for us, but and I'm a bit puzzled by 2 things:
>
>
> 1.       The list of changes in 8.0.5 (
> https://github.com/apache/tomee/compare/tomee-8.0.5...master)
> indicates the version of Tomcat has bumped up to 9.0.40, but when my
> TomEE 8.0.5 starts up it looks like it's still using 9.0.39: "Server version name:
>  Apache Tomcat (TomEE)/9.0.39 (8.0.5)".
>
> 2.       Really happy to see CVE-2019-13990  addressed in TOMEE-2672 (
> https://issues.apache.org/jira/browse/TOMEE-2672). But TomEE 8.0.5
> still seems to be shipping the old jar file not the new one with the fix in it.
> https://github.com/apache/tomee/blob/master/pom.xml should the version
> of quartz-openejb-shade have been bumped up to 2.2.4 when TOMEE-2672
> was fixed? In our local build we're currently replacing the old jar
> file with the new jar file to address the issue.
>
>
>
> Thanks in advance,
>
> Bruce
>

--

> I created a related PR https://github.com/apache/tomee/pull/742
>
> Gruss
> Richard
>
> Am Montag, den 21.12.2020, 00:18 +0000 schrieb Bruce Heavey:
> > I don’t really feel comfortable making contributions yet sorry -
> > better to leave that to the experts!
> >
> > But I’m happy to raise the JIRA ticket, I've created TOMEE 2947 for
> > this, cheers!
> > https://issues.apache.org/jira/browse/TOMEE-2947
> >
> >
> > -----Original Message-----
> > From: Jean-Louis Monteiro <[hidden email]>
> > Sent: Friday, 18 December 2020 6:11 PM
> > To: [hidden email]
> > Subject: Re: TomEE 8.0.5 tomcat/quartz-openejb-shade dependency
> > versions
> >
> > Hi Bruce,
> >
> > Glad the upgrade went well.
> >
> > 1/ I checked the pom file of the 8.0.5
> > https://github.com/apache/tomee/blob/tomee-8.0.5/pom.xml#L148
> > Tomcat seems to be 9.0.39 in there so what you see in the logs is
> > fine.
> >
> > It probably got added after the release.
> >
> https://github.com/apache/tomee/commit/eb2928435685d3e5fb184d0aa945efbfe06f26a4
> >
> > The day after the release actually.
> >
> > 2/ You are correct I think.
> > We should upgrade to 2.2.4
> >
> > Would you like to create the ticket and the PR?
> > It's fairly simple and would be awesome to have you fix it.
> >
> > If not, lemme know and I can do it.
> >
> > --
> > Jean-Louis Monteiro
> > http://twitter.com/jlouismonteiro
> > http://www.tomitribe.com
> >
> >
> > On Fri, Dec 18, 2020 at 6:17 AM Bruce Heavey <[hidden email]>
> > wrote:
> >
> > > Hi,
> > >
> > >
> > >
> > > We've recently upgraded from TomEE 1.7.5 up to TomEE 8.0.5 which
> > > has
> > > been a pretty smooth transition for us, but and I'm a bit puzzled
> > > by 2 things:
> > >
> > >
> > > 1.       The list of changes in 8.0.5 (
> > > https://github.com/apache/tomee/compare/tomee-8.0.5...master)
> > > indicates the version of Tomcat has bumped up to 9.0.40, but when
> > > my
> > > TomEE 8.0.5 starts up it looks like it's still using 9.0.39:
> > > "Server version name:
> > >  Apache Tomcat (TomEE)/9.0.39 (8.0.5)".
> > >
> > > 2.       Really happy to see CVE-2019-13990  addressed in TOMEE-
> > > 2672 (
> > > https://issues.apache.org/jira/browse/TOMEE-2672). But TomEE 8.0.5
> > > still seems to be shipping the old jar file not the new one with
> > > the fix in it.
> > > https://github.com/apache/tomee/blob/master/pom.xml should the
> > > version
> > > of quartz-openejb-shade have been bumped up to 2.2.4 when TOMEE-
> > > 2672
> > > was fixed? In our local build we're currently replacing the old
> > > jar
> > > file with the new jar file to address the issue.
> > >
> > >
> > >
> > > Thanks in advance,
> > >
> > > Bruce
> > >
> --
> Richard Zowalla, M.Sc.
> Research Associate, PhD Student | Medical Informatics
>
> Hochschule Heilbronn – University of Applied Sciences
> Max-Planck-Str. 39
> D-74081 Heilbronn
> phone: +49 7131 504 6791
> mail: [hidden email]
> web: https://www.mi.hs-heilbronn.de/
>

--

> Hi,
>
> thanks for the update. Just got the push notification from GitHub.
>
> I have fixed the compile issues (sorry!) related to Quartz and opened a
> new PR: https://github.com/apache/tomee/pull/743. This is now inline
> with the update conducted for 7.1.x and 7.0.x.
>
> Gruss
> Richard
>
> Am Mittwoch, den 23.12.2020, 13:26 +0100 schrieb Jean-Louis Monteiro:
> > Thanks Richard,
> >
> > I first merged the PR, but had to revert the version because of some
> > compilation issues. I don't think it's hard to fix, but I'll have to
> > look
> > later
> > --
> > Jean-Louis Monteiro
> > http://twitter.com/jlouismonteiro
> > http://www.tomitribe.com
> >
> >
> > On Mon, Dec 21, 2020 at 8:39 AM Zowalla, Richard <
> > [hidden email]> wrote:
> >
> > > I created a related PR https://github.com/apache/tomee/pull/742
> > >
> > > Gruss
> > > Richard
> > >
> > > Am Montag, den 21.12.2020, 00:18 +0000 schrieb Bruce Heavey:
> > > > I don’t really feel comfortable making contributions yet sorry -
> > > > better to leave that to the experts!
> > > >
> > > > But I’m happy to raise the JIRA ticket, I've created TOMEE 2947
> > > > for
> > > > this, cheers!
> > > > https://issues.apache.org/jira/browse/TOMEE-2947
> > > >
> > > >
> > > > -----Original Message-----
> > > > From: Jean-Louis Monteiro <[hidden email]>
> > > > Sent: Friday, 18 December 2020 6:11 PM
> > > > To: [hidden email]
> > > > Subject: Re: TomEE 8.0.5 tomcat/quartz-openejb-shade dependency
> > > > versions
> > > >
> > > > Hi Bruce,
> > > >
> > > > Glad the upgrade went well.
> > > >
> > > > 1/ I checked the pom file of the 8.0.5
> > > > https://github.com/apache/tomee/blob/tomee-8.0.5/pom.xml#L148
> > > > Tomcat seems to be 9.0.39 in there so what you see in the logs is
> > > > fine.
> > > >
> > > > It probably got added after the release.
> > > >
> > >
> https://github.com/apache/tomee/commit/eb2928435685d3e5fb184d0aa945efbfe06f26a4
> > > > The day after the release actually.
> > > >
> > > > 2/ You are correct I think.
> > > > We should upgrade to 2.2.4
> > > >
> > > > Would you like to create the ticket and the PR?
> > > > It's fairly simple and would be awesome to have you fix it.
> > > >
> > > > If not, lemme know and I can do it.
> > > >
> > > > --
> > > > Jean-Louis Monteiro
> > > > http://twitter.com/jlouismonteiro
> > > > http://www.tomitribe.com
> > > >
> > > >
> > > > On Fri, Dec 18, 2020 at 6:17 AM Bruce Heavey <[hidden email]>
> > > > wrote:
> > > >
> > > > > Hi,
> > > > >
> > > > >
> > > > >
> > > > > We've recently upgraded from TomEE 1.7.5 up to TomEE 8.0.5
> > > > > which
> > > > > has
> > > > > been a pretty smooth transition for us, but and I'm a bit
> > > > > puzzled
> > > > > by 2 things:
> > > > >
> > > > >
> > > > > 1.       The list of changes in 8.0.5 (
> > > > > https://github.com/apache/tomee/compare/tomee-8.0.5...master)
> > > > > indicates the version of Tomcat has bumped up to 9.0.40, but
> > > > > when
> > > > > my
> > > > > TomEE 8.0.5 starts up it looks like it's still using 9.0.39:
> > > > > "Server version name:
> > > > >  Apache Tomcat (TomEE)/9.0.39 (8.0.5)".
> > > > >
> > > > > 2.       Really happy to see CVE-2019-13990  addressed in
> > > > > TOMEE-
> > > > > 2672 (
> > > > > https://issues.apache.org/jira/browse/TOMEE-2672). But TomEE
> > > > > 8.0.5
> > > > > still seems to be shipping the old jar file not the new one
> > > > > with
> > > > > the fix in it.
> > > > > https://github.com/apache/tomee/blob/master/pom.xml should the
> > > > > version
> > > > > of quartz-openejb-shade have been bumped up to 2.2.4 when
> > > > > TOMEE-
> > > > > 2672
> > > > > was fixed? In our local build we're currently replacing the old
> > > > > jar
> > > > > file with the new jar file to address the issue.
> > > > >
> > > > >
> > > > >
> > > > > Thanks in advance,
> > > > >
> > > > > Bruce
> > > > >
> > > --
> > > Richard Zowalla, M.Sc.
> > > Research Associate, PhD Student | Medical Informatics
> > >
> > > Hochschule Heilbronn – University of Applied Sciences
> > > Max-Planck-Str. 39
> > > D-74081 Heilbronn
> > > phone: +49 7131 504 6791
> > > mail: [hidden email]
> > > web: https://www.mi.hs-heilbronn.de/
> > >
> --
> Richard Zowalla, M.Sc.
> Research Associate, PhD Student | Medical Informatics
>
> Hochschule Heilbronn – University of Applied Sciences
> Max-Planck-Str. 39
> D-74081 Heilbronn
> phone: +49 7131 504 6791
> mail: [hidden email]
> web: https://www.mi.hs-heilbronn.de/
>