[PROPOSAL] Apache ActiveMQ 5.17.1 release

[Jean-Baptiste Onofré <jb...@nanthrax.net>]

Hi guys,

I would like to prepare ActiveMQ 5.17.1 release this week, probably to
submit it to vote during the weekend or next week.

One of the main reasons is to update to Spring 5.3.18 which includes
CVE fixes (https://spring.io/blog/2022/03/31/spring-framework-rce-early-announcement).
I also have other fixes/updates to add.

Regards
JB

Re: [PROPOSAL] Apache ActiveMQ 5.17.1 release

[Jonathan Gallimore <jo...@gmail.com>]

+1. Thanks JB!

On Thu, Mar 31, 2022 at 1:47 PM Jean-Baptiste Onofré <jb...@nanthrax.net>
wrote:

> Hi guys,
>
> I would like to prepare ActiveMQ 5.17.1 release this week, probably to
> submit it to vote during the weekend or next week.
>
> One of the main reasons is to update to Spring 5.3.18 which includes
> CVE fixes (
> https://spring.io/blog/2022/03/31/spring-framework-rce-early-announcement
> ).
> I also have other fixes/updates to add.
>
> Regards
> JB
>

Re: [PROPOSAL] Apache ActiveMQ 5.17.1 release (Spring CVE-2022-22965)

[Matt Pavlovich <ma...@gmail.com>]

Still looking for hard confirmation Spring 4.x is impacted. This is document from VMWare that mentions “older unsupported versions”— https://tanzu.vmware.com/security/cve-2022-22965 <https://tanzu.vmware.com/security/cve-2022-22965>


> On Mar 31, 2022, at 9:05 AM, Matt Pavlovich <ma...@gmail.com> wrote:
> 
> @JB—
> 
> The Spring release documentation is indicating that “older unsupported” releases impacted— ie Spring 4.x used by ActiveMQ 5.16.x.
> 
> If we do not get a Spring 4.x fix, we may need a corresponding announcement deprecating 5.16.x.
> 
> Thoughts?
> Matt Pavlovich
> 
>> On Mar 31, 2022, at 7:47 AM, Jean-Baptiste Onofré <jb...@nanthrax.net> wrote:
>> 
>> Hi guys,
>> 
>> I would like to prepare ActiveMQ 5.17.1 release this week, probably to
>> submit it to vote during the weekend or next week.
>> 
>> One of the main reasons is to update to Spring 5.3.18 which includes
>> CVE fixes (https://spring.io/blog/2022/03/31/spring-framework-rce-early-announcement).
>> I also have other fixes/updates to add.
>> 
>> Regards
>> JB
> 

Re: [PROPOSAL] Apache ActiveMQ 5.17.1 release (Spring CVE-2022-22965)

[Jean-Baptiste Onofré <jb...@nanthrax.net>]

Hi guys

We are finally almost ready for 5.17.1 release. Only two Jira with PRs are
under review.
I will work on these ones today.

I plan to submit 5.17.1 to vote tomorrow.

Thanks
Regards
JB

Le lun. 11 avr. 2022 à 07:50, Jean-Baptiste Onofré <jb...@nanthrax.net> a
écrit :

> Hi guys,
>
> Quick update about ActiveMQ 5.17.1 release.
>
> We have the last update PRs to merge and a couple of fixes to do. I'm
> working on it this week. I will submit 5.17.1 to vote by the end of
> the week.
>
> Regards
> JB
>
> On Sat, Apr 2, 2022 at 6:11 AM Jean-Baptiste Onofré <jb...@nanthrax.net>
> wrote:
> >
> > Hi Bruce;
> >
> > Yees ActiveMQ 5.17.x requires JDK 11, and yes, client part doesn't use
> > Spring (only broker does).
> >
> > Regards
> > JB
> >
> > On Fri, Apr 1, 2022 at 11:41 PM W B D <wb...@users.sourceforge.net> wrote:
> > >
> > > Just to be clear, please advise, does ActiveMQ 5.17.x *require* JRE
> 11+ (or
> > > >1.8 in any case) at runtime, even if only using the client JAR
> (without
> > > the additional dependencies required to support embedded brokers using
> the
> > > vm and peer transports, for example).
> > >
> > > And second, please confirm, I don't need to worry about these Spring
> > > related vulnerabilities if using only the client JAR e.g. for tcp or
> > > failover connections, with no embedded brokers.
> > >
> > > If this second point is correct, then at least it shouldn't be a big
> deal
> > > if some of our client applications do need to reference ActiveMQ client
> > > version 5.16.4, even after our broker(s) have been upgraded to 5.17.1+.
> > >
> > > Thanks,
> > > Bruce D
> > >
> > > On Thu, Mar 31, 2022 at 7:56 AM Matt Pavlovich <ma...@gmail.com>
> wrote:
> > >
> > > > One more note— the current exploit _requires_ JDK 9+, so many 5.15.x
> and
> > > > some 5.16.x would not be impacted.
> > > >
> > > > > On Mar 31, 2022, at 9:21 AM, Matt Pavlovich <ma...@gmail.com>
> wrote:
> > > > >
> > > > > @JB — Agreed, so far there is no published exploit that would
> impact
> > > > ActiveMQ.
> > > > >
> > > > > Here is the lates I was able to find from Spring regarding
> backports
> > > > (sounds like no 4.x patch is coming):
> > > > >
> > > > > ref:
> https://github.com/spring-projects/spring-framework/issues/28260 <
> > > > https://github.com/spring-projects/spring-framework/issues/28260>
> > > > >
> > > > > Thanks,
> > > > > Matt Pavlovich
> > > > >
> > > > >> On Mar 31, 2022, at 9:10 AM, Jean-Baptiste Onofré <
> jb@nanthrax.net
> > > > <ma...@nanthrax.net>> wrote:
> > > > >>
> > > > >> Hi,
> > > > >>
> > > > >> We can "invite" our users to upgrade to 5.17.x asap. However, a
> lot of
> > > > >> users are still using 5.15.x/5.16.x, so, I would not be too
> "strict"
> > > > >> ;)
> > > > >>
> > > > >> In the context of ActiveMQ, the CVE is not very severe IMHO.
> > > > >>
> > > > >> Regards
> > > > >> JB
> > > > >>
> > > > >> On Thu, Mar 31, 2022 at 4:05 PM Matt Pavlovich <
> mattrpav@gmail.com
> > > > <ma...@gmail.com>> wrote:
> > > > >>>
> > > > >>> @JB—
> > > > >>>
> > > > >>> The Spring release documentation is indicating that “older
> > > > unsupported” releases impacted— ie Spring 4.x used by ActiveMQ
> 5.16.x.
> > > > >>>
> > > > >>> If we do not get a Spring 4.x fix, we may need a corresponding
> > > > announcement deprecating 5.16.x.
> > > > >>>
> > > > >>> Thoughts?
> > > > >>> Matt Pavlovich
> > > > >>>
> > > > >>>> On Mar 31, 2022, at 7:47 AM, Jean-Baptiste Onofré <
> jb@nanthrax.net
> > > > <ma...@nanthrax.net>> wrote:
> > > > >>>>
> > > > >>>> Hi guys,
> > > > >>>>
> > > > >>>> I would like to prepare ActiveMQ 5.17.1 release this week,
> probably to
> > > > >>>> submit it to vote during the weekend or next week.
> > > > >>>>
> > > > >>>> One of the main reasons is to update to Spring 5.3.18 which
> includes
> > > > >>>> CVE fixes (
> > > >
> https://spring.io/blog/2022/03/31/spring-framework-rce-early-announcement
> > > > <
> https://spring.io/blog/2022/03/31/spring-framework-rce-early-announcement
> > > > >).
> > > > >>>> I also have other fixes/updates to add.
> > > > >>>>
> > > > >>>> Regards
> > > > >>>> JB
> > > > >>>
> > > > >
> > > >
> > > >
>

Re: [PROPOSAL] Apache ActiveMQ 5.17.1 release (Spring CVE-2022-22965)

[Jean-Baptiste Onofré <jb...@nanthrax.net>]

Hi guys,

Quick update about ActiveMQ 5.17.1 release.

We have the last update PRs to merge and a couple of fixes to do. I'm
working on it this week. I will submit 5.17.1 to vote by the end of
the week.

Regards
JB

On Sat, Apr 2, 2022 at 6:11 AM Jean-Baptiste Onofré <jb...@nanthrax.net> wrote:
>
> Hi Bruce;
>
> Yees ActiveMQ 5.17.x requires JDK 11, and yes, client part doesn't use
> Spring (only broker does).
>
> Regards
> JB
>
> On Fri, Apr 1, 2022 at 11:41 PM W B D <wb...@users.sourceforge.net> wrote:
> >
> > Just to be clear, please advise, does ActiveMQ 5.17.x *require* JRE 11+ (or
> > >1.8 in any case) at runtime, even if only using the client JAR (without
> > the additional dependencies required to support embedded brokers using the
> > vm and peer transports, for example).
> >
> > And second, please confirm, I don't need to worry about these Spring
> > related vulnerabilities if using only the client JAR e.g. for tcp or
> > failover connections, with no embedded brokers.
> >
> > If this second point is correct, then at least it shouldn't be a big deal
> > if some of our client applications do need to reference ActiveMQ client
> > version 5.16.4, even after our broker(s) have been upgraded to 5.17.1+.
> >
> > Thanks,
> > Bruce D
> >
> > On Thu, Mar 31, 2022 at 7:56 AM Matt Pavlovich <ma...@gmail.com> wrote:
> >
> > > One more note— the current exploit _requires_ JDK 9+, so many 5.15.x and
> > > some 5.16.x would not be impacted.
> > >
> > > > On Mar 31, 2022, at 9:21 AM, Matt Pavlovich <ma...@gmail.com> wrote:
> > > >
> > > > @JB — Agreed, so far there is no published exploit that would impact
> > > ActiveMQ.
> > > >
> > > > Here is the lates I was able to find from Spring regarding backports
> > > (sounds like no 4.x patch is coming):
> > > >
> > > > ref: https://github.com/spring-projects/spring-framework/issues/28260 <
> > > https://github.com/spring-projects/spring-framework/issues/28260>
> > > >
> > > > Thanks,
> > > > Matt Pavlovich
> > > >
> > > >> On Mar 31, 2022, at 9:10 AM, Jean-Baptiste Onofré <jb@nanthrax.net
> > > <ma...@nanthrax.net>> wrote:
> > > >>
> > > >> Hi,
> > > >>
> > > >> We can "invite" our users to upgrade to 5.17.x asap. However, a lot of
> > > >> users are still using 5.15.x/5.16.x, so, I would not be too "strict"
> > > >> ;)
> > > >>
> > > >> In the context of ActiveMQ, the CVE is not very severe IMHO.
> > > >>
> > > >> Regards
> > > >> JB
> > > >>
> > > >> On Thu, Mar 31, 2022 at 4:05 PM Matt Pavlovich <mattrpav@gmail.com
> > > <ma...@gmail.com>> wrote:
> > > >>>
> > > >>> @JB—
> > > >>>
> > > >>> The Spring release documentation is indicating that “older
> > > unsupported” releases impacted— ie Spring 4.x used by ActiveMQ 5.16.x.
> > > >>>
> > > >>> If we do not get a Spring 4.x fix, we may need a corresponding
> > > announcement deprecating 5.16.x.
> > > >>>
> > > >>> Thoughts?
> > > >>> Matt Pavlovich
> > > >>>
> > > >>>> On Mar 31, 2022, at 7:47 AM, Jean-Baptiste Onofré <jb@nanthrax.net
> > > <ma...@nanthrax.net>> wrote:
> > > >>>>
> > > >>>> Hi guys,
> > > >>>>
> > > >>>> I would like to prepare ActiveMQ 5.17.1 release this week, probably to
> > > >>>> submit it to vote during the weekend or next week.
> > > >>>>
> > > >>>> One of the main reasons is to update to Spring 5.3.18 which includes
> > > >>>> CVE fixes (
> > > https://spring.io/blog/2022/03/31/spring-framework-rce-early-announcement
> > > <https://spring.io/blog/2022/03/31/spring-framework-rce-early-announcement
> > > >).
> > > >>>> I also have other fixes/updates to add.
> > > >>>>
> > > >>>> Regards
> > > >>>> JB
> > > >>>
> > > >
> > >
> > >

Re: [PROPOSAL] Apache ActiveMQ 5.17.1 release (Spring CVE-2022-22965)

[Jean-Baptiste Onofré <jb...@nanthrax.net>]

Hi Bruce;

Yees ActiveMQ 5.17.x requires JDK 11, and yes, client part doesn't use
Spring (only broker does).

Regards
JB

On Fri, Apr 1, 2022 at 11:41 PM W B D <wb...@users.sourceforge.net> wrote:
>
> Just to be clear, please advise, does ActiveMQ 5.17.x *require* JRE 11+ (or
> >1.8 in any case) at runtime, even if only using the client JAR (without
> the additional dependencies required to support embedded brokers using the
> vm and peer transports, for example).
>
> And second, please confirm, I don't need to worry about these Spring
> related vulnerabilities if using only the client JAR e.g. for tcp or
> failover connections, with no embedded brokers.
>
> If this second point is correct, then at least it shouldn't be a big deal
> if some of our client applications do need to reference ActiveMQ client
> version 5.16.4, even after our broker(s) have been upgraded to 5.17.1+.
>
> Thanks,
> Bruce D
>
> On Thu, Mar 31, 2022 at 7:56 AM Matt Pavlovich <ma...@gmail.com> wrote:
>
> > One more note— the current exploit _requires_ JDK 9+, so many 5.15.x and
> > some 5.16.x would not be impacted.
> >
> > > On Mar 31, 2022, at 9:21 AM, Matt Pavlovich <ma...@gmail.com> wrote:
> > >
> > > @JB — Agreed, so far there is no published exploit that would impact
> > ActiveMQ.
> > >
> > > Here is the lates I was able to find from Spring regarding backports
> > (sounds like no 4.x patch is coming):
> > >
> > > ref: https://github.com/spring-projects/spring-framework/issues/28260 <
> > https://github.com/spring-projects/spring-framework/issues/28260>
> > >
> > > Thanks,
> > > Matt Pavlovich
> > >
> > >> On Mar 31, 2022, at 9:10 AM, Jean-Baptiste Onofré <jb@nanthrax.net
> > <ma...@nanthrax.net>> wrote:
> > >>
> > >> Hi,
> > >>
> > >> We can "invite" our users to upgrade to 5.17.x asap. However, a lot of
> > >> users are still using 5.15.x/5.16.x, so, I would not be too "strict"
> > >> ;)
> > >>
> > >> In the context of ActiveMQ, the CVE is not very severe IMHO.
> > >>
> > >> Regards
> > >> JB
> > >>
> > >> On Thu, Mar 31, 2022 at 4:05 PM Matt Pavlovich <mattrpav@gmail.com
> > <ma...@gmail.com>> wrote:
> > >>>
> > >>> @JB—
> > >>>
> > >>> The Spring release documentation is indicating that “older
> > unsupported” releases impacted— ie Spring 4.x used by ActiveMQ 5.16.x.
> > >>>
> > >>> If we do not get a Spring 4.x fix, we may need a corresponding
> > announcement deprecating 5.16.x.
> > >>>
> > >>> Thoughts?
> > >>> Matt Pavlovich
> > >>>
> > >>>> On Mar 31, 2022, at 7:47 AM, Jean-Baptiste Onofré <jb@nanthrax.net
> > <ma...@nanthrax.net>> wrote:
> > >>>>
> > >>>> Hi guys,
> > >>>>
> > >>>> I would like to prepare ActiveMQ 5.17.1 release this week, probably to
> > >>>> submit it to vote during the weekend or next week.
> > >>>>
> > >>>> One of the main reasons is to update to Spring 5.3.18 which includes
> > >>>> CVE fixes (
> > https://spring.io/blog/2022/03/31/spring-framework-rce-early-announcement
> > <https://spring.io/blog/2022/03/31/spring-framework-rce-early-announcement
> > >).
> > >>>> I also have other fixes/updates to add.
> > >>>>
> > >>>> Regards
> > >>>> JB
> > >>>
> > >
> >
> >

Re: [PROPOSAL] Apache ActiveMQ 5.17.1 release (Spring CVE-2022-22965)

[W B D <wb...@users.sourceforge.net>]

Just to be clear, please advise, does ActiveMQ 5.17.x *require* JRE 11+ (or
>1.8 in any case) at runtime, even if only using the client JAR (without
the additional dependencies required to support embedded brokers using the
vm and peer transports, for example).

And second, please confirm, I don't need to worry about these Spring
related vulnerabilities if using only the client JAR e.g. for tcp or
failover connections, with no embedded brokers.

If this second point is correct, then at least it shouldn't be a big deal
if some of our client applications do need to reference ActiveMQ client
version 5.16.4, even after our broker(s) have been upgraded to 5.17.1+.

Thanks,
Bruce D

On Thu, Mar 31, 2022 at 7:56 AM Matt Pavlovich <ma...@gmail.com> wrote:

> One more note— the current exploit _requires_ JDK 9+, so many 5.15.x and
> some 5.16.x would not be impacted.
>
> > On Mar 31, 2022, at 9:21 AM, Matt Pavlovich <ma...@gmail.com> wrote:
> >
> > @JB — Agreed, so far there is no published exploit that would impact
> ActiveMQ.
> >
> > Here is the lates I was able to find from Spring regarding backports
> (sounds like no 4.x patch is coming):
> >
> > ref: https://github.com/spring-projects/spring-framework/issues/28260 <
> https://github.com/spring-projects/spring-framework/issues/28260>
> >
> > Thanks,
> > Matt Pavlovich
> >
> >> On Mar 31, 2022, at 9:10 AM, Jean-Baptiste Onofré <jb@nanthrax.net
> <ma...@nanthrax.net>> wrote:
> >>
> >> Hi,
> >>
> >> We can "invite" our users to upgrade to 5.17.x asap. However, a lot of
> >> users are still using 5.15.x/5.16.x, so, I would not be too "strict"
> >> ;)
> >>
> >> In the context of ActiveMQ, the CVE is not very severe IMHO.
> >>
> >> Regards
> >> JB
> >>
> >> On Thu, Mar 31, 2022 at 4:05 PM Matt Pavlovich <mattrpav@gmail.com
> <ma...@gmail.com>> wrote:
> >>>
> >>> @JB—
> >>>
> >>> The Spring release documentation is indicating that “older
> unsupported” releases impacted— ie Spring 4.x used by ActiveMQ 5.16.x.
> >>>
> >>> If we do not get a Spring 4.x fix, we may need a corresponding
> announcement deprecating 5.16.x.
> >>>
> >>> Thoughts?
> >>> Matt Pavlovich
> >>>
> >>>> On Mar 31, 2022, at 7:47 AM, Jean-Baptiste Onofré <jb@nanthrax.net
> <ma...@nanthrax.net>> wrote:
> >>>>
> >>>> Hi guys,
> >>>>
> >>>> I would like to prepare ActiveMQ 5.17.1 release this week, probably to
> >>>> submit it to vote during the weekend or next week.
> >>>>
> >>>> One of the main reasons is to update to Spring 5.3.18 which includes
> >>>> CVE fixes (
> https://spring.io/blog/2022/03/31/spring-framework-rce-early-announcement
> <https://spring.io/blog/2022/03/31/spring-framework-rce-early-announcement
> >).
> >>>> I also have other fixes/updates to add.
> >>>>
> >>>> Regards
> >>>> JB
> >>>
> >
>
>

Re: [PROPOSAL] Apache ActiveMQ 5.17.1 release (Spring CVE-2022-22965)

[Matt Pavlovich <ma...@gmail.com>]

One more note— the current exploit _requires_ JDK 9+, so many 5.15.x and some 5.16.x would not be impacted.

> On Mar 31, 2022, at 9:21 AM, Matt Pavlovich <ma...@gmail.com> wrote:
> 
> @JB — Agreed, so far there is no published exploit that would impact ActiveMQ. 
> 
> Here is the lates I was able to find from Spring regarding backports (sounds like no 4.x patch is coming):
> 
> ref: https://github.com/spring-projects/spring-framework/issues/28260 <https://github.com/spring-projects/spring-framework/issues/28260>
> 
> Thanks,
> Matt Pavlovich
> 
>> On Mar 31, 2022, at 9:10 AM, Jean-Baptiste Onofré <jb@nanthrax.net <ma...@nanthrax.net>> wrote:
>> 
>> Hi,
>> 
>> We can "invite" our users to upgrade to 5.17.x asap. However, a lot of
>> users are still using 5.15.x/5.16.x, so, I would not be too "strict"
>> ;)
>> 
>> In the context of ActiveMQ, the CVE is not very severe IMHO.
>> 
>> Regards
>> JB
>> 
>> On Thu, Mar 31, 2022 at 4:05 PM Matt Pavlovich <mattrpav@gmail.com <ma...@gmail.com>> wrote:
>>> 
>>> @JB—
>>> 
>>> The Spring release documentation is indicating that “older unsupported” releases impacted— ie Spring 4.x used by ActiveMQ 5.16.x.
>>> 
>>> If we do not get a Spring 4.x fix, we may need a corresponding announcement deprecating 5.16.x.
>>> 
>>> Thoughts?
>>> Matt Pavlovich
>>> 
>>>> On Mar 31, 2022, at 7:47 AM, Jean-Baptiste Onofré <jb@nanthrax.net <ma...@nanthrax.net>> wrote:
>>>> 
>>>> Hi guys,
>>>> 
>>>> I would like to prepare ActiveMQ 5.17.1 release this week, probably to
>>>> submit it to vote during the weekend or next week.
>>>> 
>>>> One of the main reasons is to update to Spring 5.3.18 which includes
>>>> CVE fixes (https://spring.io/blog/2022/03/31/spring-framework-rce-early-announcement <https://spring.io/blog/2022/03/31/spring-framework-rce-early-announcement>).
>>>> I also have other fixes/updates to add.
>>>> 
>>>> Regards
>>>> JB
>>> 
> 

Re: [PROPOSAL] Apache ActiveMQ 5.17.1 release (Spring CVE-2022-22965)

[Matt Pavlovich <ma...@gmail.com>]

@JB — Agreed, so far there is no published exploit that would impact ActiveMQ. 

Here is the lates I was able to find from Spring regarding backports (sounds like no 4.x patch is coming):

ref: https://github.com/spring-projects/spring-framework/issues/28260 <https://github.com/spring-projects/spring-framework/issues/28260>

Thanks,
Matt Pavlovich

> On Mar 31, 2022, at 9:10 AM, Jean-Baptiste Onofré <jb...@nanthrax.net> wrote:
> 
> Hi,
> 
> We can "invite" our users to upgrade to 5.17.x asap. However, a lot of
> users are still using 5.15.x/5.16.x, so, I would not be too "strict"
> ;)
> 
> In the context of ActiveMQ, the CVE is not very severe IMHO.
> 
> Regards
> JB
> 
> On Thu, Mar 31, 2022 at 4:05 PM Matt Pavlovich <ma...@gmail.com> wrote:
>> 
>> @JB—
>> 
>> The Spring release documentation is indicating that “older unsupported” releases impacted— ie Spring 4.x used by ActiveMQ 5.16.x.
>> 
>> If we do not get a Spring 4.x fix, we may need a corresponding announcement deprecating 5.16.x.
>> 
>> Thoughts?
>> Matt Pavlovich
>> 
>>> On Mar 31, 2022, at 7:47 AM, Jean-Baptiste Onofré <jb...@nanthrax.net> wrote:
>>> 
>>> Hi guys,
>>> 
>>> I would like to prepare ActiveMQ 5.17.1 release this week, probably to
>>> submit it to vote during the weekend or next week.
>>> 
>>> One of the main reasons is to update to Spring 5.3.18 which includes
>>> CVE fixes (https://spring.io/blog/2022/03/31/spring-framework-rce-early-announcement).
>>> I also have other fixes/updates to add.
>>> 
>>> Regards
>>> JB
>> 

Re: [PROPOSAL] Apache ActiveMQ 5.17.1 release (Spring CVE-2022-22965)

[Jean-Baptiste Onofré <jb...@nanthrax.net>]

Hi,

We can "invite" our users to upgrade to 5.17.x asap. However, a lot of
users are still using 5.15.x/5.16.x, so, I would not be too "strict"
;)

In the context of ActiveMQ, the CVE is not very severe IMHO.

Regards
JB

On Thu, Mar 31, 2022 at 4:05 PM Matt Pavlovich <ma...@gmail.com> wrote:
>
> @JB—
>
> The Spring release documentation is indicating that “older unsupported” releases impacted— ie Spring 4.x used by ActiveMQ 5.16.x.
>
> If we do not get a Spring 4.x fix, we may need a corresponding announcement deprecating 5.16.x.
>
> Thoughts?
> Matt Pavlovich
>
> > On Mar 31, 2022, at 7:47 AM, Jean-Baptiste Onofré <jb...@nanthrax.net> wrote:
> >
> > Hi guys,
> >
> > I would like to prepare ActiveMQ 5.17.1 release this week, probably to
> > submit it to vote during the weekend or next week.
> >
> > One of the main reasons is to update to Spring 5.3.18 which includes
> > CVE fixes (https://spring.io/blog/2022/03/31/spring-framework-rce-early-announcement).
> > I also have other fixes/updates to add.
> >
> > Regards
> > JB
>

Re: [PROPOSAL] Apache ActiveMQ 5.17.1 release (Spring CVE-2022-22965)

[Matt Pavlovich <ma...@gmail.com>]

@JB—

The Spring release documentation is indicating that “older unsupported” releases impacted— ie Spring 4.x used by ActiveMQ 5.16.x.

If we do not get a Spring 4.x fix, we may need a corresponding announcement deprecating 5.16.x.

Thoughts?
Matt Pavlovich

> On Mar 31, 2022, at 7:47 AM, Jean-Baptiste Onofré <jb...@nanthrax.net> wrote:
> 
> Hi guys,
> 
> I would like to prepare ActiveMQ 5.17.1 release this week, probably to
> submit it to vote during the weekend or next week.
> 
> One of the main reasons is to update to Spring 5.3.18 which includes
> CVE fixes (https://spring.io/blog/2022/03/31/spring-framework-rce-early-announcement).
> I also have other fixes/updates to add.
> 
> Regards
> JB

Re: [PROPOSAL] Apache ActiveMQ 5.17.1 release

[Matt Pavlovich <ma...@gmail.com>]

+1 Good idea.

> On Mar 31, 2022, at 7:47 AM, Jean-Baptiste Onofré <jb...@nanthrax.net> wrote:
> 
> Hi guys,
> 
> I would like to prepare ActiveMQ 5.17.1 release this week, probably to
> submit it to vote during the weekend or next week.
> 
> One of the main reasons is to update to Spring 5.3.18 which includes
> CVE fixes (https://spring.io/blog/2022/03/31/spring-framework-rce-early-announcement).
> I also have other fixes/updates to add.
> 
> Regards
> JB