[jira] [Updated] (TOMEE-2918) Upgrade "activemq 5.15.12" and "quartz-openejb-shade-2.2.1" in TomEE 8.0.4 due to CVEs

["francis (Jira)" <ji...@apache.org>]

     [ https://issues.apache.org/jira/browse/TOMEE-2918?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

francis updated TOMEE-2918:
---------------------------
    Summary: Upgrade "activemq 5.15.12" and "quartz-openejb-shade-2.2.1" in TomEE 8.0.4 due to CVEs  (was: Upgrade activemq 5.15.12 and quartz-openejb-shade-2.2.1 in TomEE 8.0.4 due to CVEs)

> Upgrade "activemq 5.15.12" and "quartz-openejb-shade-2.2.1" in TomEE 8.0.4 due to CVEs
> --------------------------------------------------------------------------------------
>
>                 Key: TOMEE-2918
>                 URL: https://issues.apache.org/jira/browse/TOMEE-2918
>             Project: TomEE
>          Issue Type: Dependency upgrade
>          Components: TomEE Build
>    Affects Versions: 8.0.4
>            Reporter: francis
>            Priority: Major
>
> Dear maintainers,
> When I get the 8.0.4 TomEE binary from the following link:
> [https://www.apache.org/dyn/closer.cgi/tomee/tomee-8.0.4/apache-tomee-8.0.4-plume.tar.gz]
> I found there are 2 libraries with known CVEs:
>  * apache-tomee-8.0.4-plume.tar.gz:apache-tomee-plume-8.0.4/lib/activemq-client-5.15.12.jar
>  * apache-tomee-8.0.4-plume.tar.gz:apache-tomee-plume-8.0.4/lib/quartz-openejb-shade-2.2.1.jar
> I found 2 tickets here pointing that both libraries were upgraded in the previous versions in 8.x branch:
>  * activemq: https://issues.apache.org/jira/browse/TOMEE-2171
>  * quartz: https://issues.apache.org/jira/browse/TOMEE-2672
> But seem they are still in the TomEE 8.0.4 build. Do we have plan to upgrade both libraries in future 8.x releases?
> By the way, I saw this ticket states that the activemq will be upgrade in 8.0.5 release:
> https://issues.apache.org/jira/browse/TOMEE-2904
>  
> Thank you very much for your effort in advance!
>  



--
This message was sent by Atlassian Jira
(v8.3.4#803005)