You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@qpid.apache.org by rhudumula <rh...@salesforce.com.INVALID> on 2021/03/09 18:54:29 UTC
Addressing CVE-2020-5258 in Qpid Broker-J
Hi Qpid team,
CVE-2020-5258 is reported against dojo-toolkit and the fix is available in
these versions - 1.14.6 and 1.16.2. The latest Qpid Broker-J versions still
seem to be using older dojo-toolkit versions.
Any update on when the this will be addressed? Or is it safe to just pick
the latest dojo-toolkit version?
Thanks,
Rajashekar
--
Sent from: http://qpid.2158936.n2.nabble.com/Apache-Qpid-users-f2158936.html
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@qpid.apache.org
For additional commands, e-mail: users-help@qpid.apache.org
Re: Addressing CVE-2020-5258 in Qpid Broker-J
Posted by Oleksandr Rudyy <or...@gmail.com>.
Hi Tom,
My apologies. It is a typo. There will be no 8.1.x releases. I meant
versions 8.0.x.
Kind Regards,
Alex
On Thu, 18 Mar 2021 at 15:11, Tom Jordahl <tj...@adobe.com.invalid> wrote:
>
> HI Alex,
>
> You say below that the dojotoolkit will be updated in 8.0.5, but then you mention upgrading to the “latest 8.1.x version”.
> Was that a typo or do you expect an 8.1.0 release to be coming soon?
>
> I was planning on upgrading from 7.1.x to 8.x and wanted to make sure I picked up this fix.
>
> BTW – any caveats to upgrading from 7 to 8 that anyone is aware of? I reviewed the release notes and it doesn’t seem like any breaking changes were made.
> Thanks.
> --
> Tom
>
> From: Oleksandr Rudyy <or...@gmail.com>
> Reply-To: "users@qpid.apache.org" <us...@qpid.apache.org>
> Date: Sunday, March 14, 2021 at 4:22 PM
> To: "users@qpid.apache.org" <us...@qpid.apache.org>
> Subject: Re: Addressing CVE-2020-5258 in Qpid Broker-J
>
> Hi Rajashekar,
>
> Thanks for bringing this to our attention.
> I committed a change upgrading dojotoolkit to version 1.16.3 on master
> and 8.0.x branches. It will be available in version 8.0.5.
> I am not planning to release a new 7.1.x version. We released 7.1.0
> around two years ago in January 2019. A life cycle of major/minor
> versions is 2 years which includes building of maintenance releases
> with fixes for security and critical issues. The users of 7.1.x
> versions should upgrade their brokers to the latest 8.1.x version.
>
> Kind Regards,
> Alex
>
> [1] https://issues.apache.org/jira/browse/QPID-8511
>
> On Tue, 9 Mar 2021 at 18:54, rhudumula <rh...@salesforce.com.invalid>> wrote:
>
> Hi Qpid team,
>
> CVE-2020-5258 is reported against dojo-toolkit and the fix is available in
> these versions - 1.14.6 and 1.16.2. The latest Qpid Broker-J versions still
> seem to be using older dojo-toolkit versions.
> Any update on when the this will be addressed? Or is it safe to just pick
> the latest dojo-toolkit version?
>
> Thanks,
> Rajashekar
>
>
>
> --
> Sent from: http://qpid.2158936.n2.nabble.com/Apache-Qpid-users-f2158936.html
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@qpid.apache.org<ma...@qpid.apache.org>
> For additional commands, e-mail: users-help@qpid.apache.org<ma...@qpid.apache.org>
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@qpid.apache.org<ma...@qpid.apache.org>
> For additional commands, e-mail: users-help@qpid.apache.org<ma...@qpid.apache.org>
>
>
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@qpid.apache.org
For additional commands, e-mail: users-help@qpid.apache.org
Re: Addressing CVE-2020-5258 in Qpid Broker-J
Posted by Tom Jordahl <tj...@adobe.com.INVALID>.
HI Alex,
You say below that the dojotoolkit will be updated in 8.0.5, but then you mention upgrading to the “latest 8.1.x version”.
Was that a typo or do you expect an 8.1.0 release to be coming soon?
I was planning on upgrading from 7.1.x to 8.x and wanted to make sure I picked up this fix.
BTW – any caveats to upgrading from 7 to 8 that anyone is aware of? I reviewed the release notes and it doesn’t seem like any breaking changes were made.
Thanks.
--
Tom
From: Oleksandr Rudyy <or...@gmail.com>
Reply-To: "users@qpid.apache.org" <us...@qpid.apache.org>
Date: Sunday, March 14, 2021 at 4:22 PM
To: "users@qpid.apache.org" <us...@qpid.apache.org>
Subject: Re: Addressing CVE-2020-5258 in Qpid Broker-J
Hi Rajashekar,
Thanks for bringing this to our attention.
I committed a change upgrading dojotoolkit to version 1.16.3 on master
and 8.0.x branches. It will be available in version 8.0.5.
I am not planning to release a new 7.1.x version. We released 7.1.0
around two years ago in January 2019. A life cycle of major/minor
versions is 2 years which includes building of maintenance releases
with fixes for security and critical issues. The users of 7.1.x
versions should upgrade their brokers to the latest 8.1.x version.
Kind Regards,
Alex
[1] https://issues.apache.org/jira/browse/QPID-8511
On Tue, 9 Mar 2021 at 18:54, rhudumula <rh...@salesforce.com.invalid>> wrote:
Hi Qpid team,
CVE-2020-5258 is reported against dojo-toolkit and the fix is available in
these versions - 1.14.6 and 1.16.2. The latest Qpid Broker-J versions still
seem to be using older dojo-toolkit versions.
Any update on when the this will be addressed? Or is it safe to just pick
the latest dojo-toolkit version?
Thanks,
Rajashekar
--
Sent from: http://qpid.2158936.n2.nabble.com/Apache-Qpid-users-f2158936.html
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@qpid.apache.org<ma...@qpid.apache.org>
For additional commands, e-mail: users-help@qpid.apache.org<ma...@qpid.apache.org>
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@qpid.apache.org<ma...@qpid.apache.org>
For additional commands, e-mail: users-help@qpid.apache.org<ma...@qpid.apache.org>
Re: Addressing CVE-2020-5258 in Qpid Broker-J
Posted by rhudumula <rh...@salesforce.com.INVALID>.
Thanks Alex for the update. We will plan to upgrade to 8.1.x version.
--
Sent from: http://qpid.2158936.n2.nabble.com/Apache-Qpid-users-f2158936.html
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@qpid.apache.org
For additional commands, e-mail: users-help@qpid.apache.org
Re: Addressing CVE-2020-5258 in Qpid Broker-J
Posted by Oleksandr Rudyy <or...@gmail.com>.
Hi Rajashekar,
Thanks for bringing this to our attention.
I committed a change upgrading dojotoolkit to version 1.16.3 on master
and 8.0.x branches. It will be available in version 8.0.5.
I am not planning to release a new 7.1.x version. We released 7.1.0
around two years ago in January 2019. A life cycle of major/minor
versions is 2 years which includes building of maintenance releases
with fixes for security and critical issues. The users of 7.1.x
versions should upgrade their brokers to the latest 8.1.x version.
Kind Regards,
Alex
[1] https://issues.apache.org/jira/browse/QPID-8511
On Tue, 9 Mar 2021 at 18:54, rhudumula <rh...@salesforce.com.invalid> wrote:
>
> Hi Qpid team,
>
> CVE-2020-5258 is reported against dojo-toolkit and the fix is available in
> these versions - 1.14.6 and 1.16.2. The latest Qpid Broker-J versions still
> seem to be using older dojo-toolkit versions.
> Any update on when the this will be addressed? Or is it safe to just pick
> the latest dojo-toolkit version?
>
> Thanks,
> Rajashekar
>
>
>
> --
> Sent from: http://qpid.2158936.n2.nabble.com/Apache-Qpid-users-f2158936.html
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@qpid.apache.org
> For additional commands, e-mail: users-help@qpid.apache.org
>
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@qpid.apache.org
For additional commands, e-mail: users-help@qpid.apache.org