You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@tomee.apache.org by "francis (Jira)" <ji...@apache.org> on 2020/11/09 08:28:00 UTC
[jira] [Created] (TOMEE-2918) Upgrade activemq 5.15.12 and
quartz-openejb-shade-2.2.1 in TomEE 8.0.4 due to CVEs
francis created TOMEE-2918:
------------------------------
Summary: Upgrade activemq 5.15.12 and quartz-openejb-shade-2.2.1 in TomEE 8.0.4 due to CVEs
Key: TOMEE-2918
URL: https://issues.apache.org/jira/browse/TOMEE-2918
Project: TomEE
Issue Type: Dependency upgrade
Components: TomEE Build
Affects Versions: 8.0.4
Reporter: francis
Dear maintainers,
When I get the 8.0.4 TomEE binary from the following link:
[https://www.apache.org/dyn/closer.cgi/tomee/tomee-8.0.4/apache-tomee-8.0.4-plume.tar.gz]
I found there are 2 libraries with known CVEs:
* apache-tomee-8.0.4-plume.tar.gz:apache-tomee-plume-8.0.4/lib/activemq-client-5.15.12.jar
* apache-tomee-8.0.4-plume.tar.gz:apache-tomee-plume-8.0.4/lib/quartz-openejb-shade-2.2.1.jar
I found 2 tickets here pointing that both libraries were upgraded in the previous versions in 8.x branch:
* activemq: https://issues.apache.org/jira/browse/TOMEE-2171
* quartz: https://issues.apache.org/jira/browse/TOMEE-2672
But seem they are still in the TomEE 8.0.4 build. Do we have plan to upgrade both libraries in future 8.x releases?
By the way, I saw this ticket states that the activemq will be upgrade in 8.0.5 release:
https://issues.apache.org/jira/browse/TOMEE-2904
Thank you very much for your effort in advance!
--
This message was sent by Atlassian Jira
(v8.3.4#803005)