You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@activemq.apache.org by Deepti Sharma S <de...@ericsson.com.INVALID> on 2022/02/07 12:20:41 UTC
RE: Active MQ All Fix for CVE-2021-44228, CVSS 10.0 (Critical)
Hello Justin,
I would like to follow-up on the release date of ActiveMQ 5.17.x version. I have seen the below thread, however could not found the exact date/week for the same.
Could you please help here?
Also can we build the ActiveMQ and upgrade the Log4J2.x on our own, can you please help to understand the procedure for the same.
Regards,
Deepti Sharma
PMP® & ITIL
-----Original Message-----
From: Justin Bertram <jb...@apache.org>
Sent: Tuesday, January 18, 2022 9:09 PM
To: users@activemq.apache.org
Subject: Re: Active MQ All Fix for CVE-2021-44228, CVSS 10.0 (Critical)
> when we download the Active Mq from below Maven link the jar name is "
ActiveMQ all", however I could not found this from Active MQ website.
All Maven artifacts are built from the source code. You can find links to all the ActiveMQ source code repositories on the website [1]. You need to look in the actual repository to see the code for a specific Maven module like "activemq-all" which can be found here [2].
> I might miss the release date for 5.17...
If you miss anything on the users mailing list you can go back and review the archive [3] which is linked from the website [4].
Justin
[1] https://activemq.apache.org/contributing
[2] https://github.com/apache/activemq/tree/main/activemq-all
[3] https://lists.apache.org/list.html?users@activemq.apache.org
[4] https://activemq.apache.org/contact
On Tue, Jan 18, 2022 at 9:06 AM Deepti Sharma S <de...@ericsson.com.invalid> wrote:
> Hello Justin,
>
> The question is , when we download the Active Mq from below Maven link
> the jar name is " ActiveMQ all", however I could not found this from
> Active MQ website.
>
> I might miss the release date for 5.17, it would be helpful, if you
> could confirm the release date for the same.
>
>
> Regards,
> Deepti Sharma
> PMP® & ITIL
>
>
> -----Original Message-----
> From: Justin Bertram <jb...@apache.org>
> Sent: Tuesday, January 18, 2022 8:33 PM
> To: users@activemq.apache.org
> Subject: Re: Active MQ All Fix for CVE-2021-44228, CVSS 10.0
> (Critical)
>
> > Does Active MQ all (//
> https://mvnrepository.com/artifact/org.apache.activemq/activemq-all
> implementation 'org.apache.activemq:activemq-all:5.16.3') is same as
> Active MQ Classic?
>
> I don't understand the question. What exactly are you asking here?
>
> > When we are expecting the Active MQ 5.17.x version with Log4J 2.17.x?
>
> This question has *already* been answered on this thread (and many
> other places on this mailing list).
>
>
> Justin
>
> On Tue, Jan 18, 2022 at 8:27 AM Deepti Sharma S <
> deepti.s.sharma@ericsson.com.invalid> wrote:
>
> > Hello All,
> >
> > 2 questions:
> > Does Active MQ all (//
> > https://mvnrepository.com/artifact/org.apache.activemq/activemq-all
> > implementation 'org.apache.activemq:activemq-all:5.16.3') is same as
> > Active MQ Classic?
> > When we are expecting the Active MQ 5.17.x version with Log4J 2.17.x?
> >
> >
> > Regards,
> > Deepti Sharma
> > PMP® & ITIL
> >
> >
> > -----Original Message-----
> > From: Justin Bertram <jb...@apache.org>
> > Sent: Sunday, January 9, 2022 1:29 AM
> > To: users@activemq.apache.org
> > Subject: Re: Active MQ All Fix for CVE-2021-44228, CVSS 10.0
> > (Critical)
> >
> > For what it's worth, it's already noted on the index page as well as
> > the "News" page as well as noted in multiple emails on both the
> > users and dev mailing lists. Even searches for "activemq
> > CVE-2021-44228" on DuckDuckGo, Google, or Bing provide the relevant
> > information in the
> first few results.
> > In my opinion if folks aren't finding the information it's because
> > they aren't looking. There's always going to be folks like that
> unfortunately.
> >
> >
> > Justin
> >
> >
> > On Sat, Jan 8, 2022 at 10:07 AM Jean-Baptiste Onofre
> > <jb...@nanthrax.net>
> > wrote:
> >
> > > Hi Tim,
> > >
> > > Good idea, I think it would be helpful to have it directly on
> > > index page and contact yeah.
> > >
> > > I can do the change if everyone agree.
> > >
> > > Thanks !
> > >
> > > Regards
> > > JB
> > >
> > > > Le 8 janv. 2022 à 16:44, Tim Bain <tb...@alumni.duke.edu> a écrit :
> > > >
> > > > JB, should we put that link somewhere prominent on
> > > > https://activemq.apache.org/contact for a few months? I believe
> > > > all the users who posted questions about the CVE were first-time
> > > > posters who
> > > likely
> > > > went to that page before posting questions, so we might be able
> > > > to save everyone the time and frustration by heading off the
> > > > question for
> > folks.
> > > >
> > > > Tim
> > > >
> > > > On Sat, Jan 8, 2022, 6:01 AM Jean-Baptiste Onofre
> > > > <jb...@nanthrax.net>
> > > wrote:
> > > >
> > > >> Hi,
> > > >>
> > > >> Again, a new time:
> > > >>
> > > >> https://activemq.apache.org/news/cve-2021-44228
> > > >>
> > > >> AGAIN, ActiveMQ 5.15/5.16 are NOT affected by log4j 2.x CVE
> > > >> because they are using log4j 1.x
> > > >>
> > > >> ActiveMQ 5.17.x (not yet released) will use at least log4j 2.17.1.
> > > >>
> > > >> Regards
> > > >> JB
> > > >>
> > > >>> Le 8 janv. 2022 à 11:35, Deepti Sharma S
> > > >>> <deepti.s.sharma@ericsson.com
> > > .INVALID>
> > > >> a écrit :
> > > >>>
> > > >>> Hello Team,
> > > >>>
> > > >>> As we have Log4J vulnerability CVE-2021-44228, CVSS 10.0
> > > >>> (Critical),
> > > can
> > > >> you please confirm, when we have ActiveMQ all, version release
> > > >> which has this vulnerability fix and has Log4J version 2.17?
> > > >>>
> > > >>>
> > > >>>
> > > >>> Regards,
> > > >>> Deepti Sharma
> > > >>> PMP(r) & ITIL
> > > >>>
> > > >>>
> > > >>
> > > >>
> > >
> > >
> >
> >
>
>
Re: Active MQ All Fix for CVE-2021-44228, CVSS 10.0 (Critical)
Posted by Matt Pavlovich <ma...@gmail.com>.
Hello Deepti-
ActiveMQ 5.16.2 and 5.16.3 are _not_ vulnerable to CVE-2021-44228.
Thanks,
Matt
> On Feb 7, 2022, at 11:32 AM, Deepti Sharma S <de...@ericsson.com.INVALID> wrote:
>
> Hello Matt,
>
> We are using ActiveMQ all version 5.16.2 and 5.16.3.
>
>
> Regards,
> Deepti Sharma
> PMP® & ITIL
>
>
> -----Original Message-----
> From: Matt Pavlovich <ma...@gmail.com>
> Sent: Monday, February 7, 2022 10:50 PM
> To: users@activemq.apache.org
> Subject: Re: Active MQ All Fix for CVE-2021-44228, CVSS 10.0 (Critical)
>
> Hello Deepti-
>
> What version of ActiveMQ are you using? I suspect that you have incorrect information about CVE-2021-44228 and ActiveMQ.
>
> -Matt Pavlovich
>
>> On Feb 7, 2022, at 6:20 AM, Deepti Sharma S <de...@ericsson.com.INVALID> wrote:
>>
>> Hello Justin,
>>
>> I would like to follow-up on the release date of ActiveMQ 5.17.x version. I have seen the below thread, however could not found the exact date/week for the same.
>>
>> Could you please help here?
>>
>> Also can we build the ActiveMQ and upgrade the Log4J2.x on our own, can you please help to understand the procedure for the same.
>>
>>
>> Regards,
>> Deepti Sharma
>> PMP® & ITIL
>>
>>
>> -----Original Message-----
>> From: Justin Bertram <jb...@apache.org>
>> Sent: Tuesday, January 18, 2022 9:09 PM
>> To: users@activemq.apache.org
>> Subject: Re: Active MQ All Fix for CVE-2021-44228, CVSS 10.0
>> (Critical)
>>
>>> when we download the Active Mq from below Maven link the jar name is "
>> ActiveMQ all", however I could not found this from Active MQ website.
>>
>> All Maven artifacts are built from the source code. You can find links to all the ActiveMQ source code repositories on the website [1]. You need to look in the actual repository to see the code for a specific Maven module like "activemq-all" which can be found here [2].
>>
>>> I might miss the release date for 5.17...
>>
>> If you miss anything on the users mailing list you can go back and review the archive [3] which is linked from the website [4].
>>
>>
>> Justin
>>
>> [1] https://activemq.apache.org/contributing
>> [2]
>> https://protect2.fireeye.com/v1/url?k=31323334-501d5122-313273af-45444
>> 5555731-6ccda375f1ae0b10&q=1&e=8096bb19-015a-4b40-a864-13aaa0443b5a&u=
>> https%3A%2F%2Fgithub.com%2Fapache%2Factivemq%2Ftree%2Fmain%2Factivemq-
>> all [3] https://lists.apache.org/list.html?users@activemq.apache.org
>> [4] https://activemq.apache.org/contact
>>
>> On Tue, Jan 18, 2022 at 9:06 AM Deepti Sharma S <de...@ericsson.com.invalid> wrote:
>>
>>> Hello Justin,
>>>
>>> The question is , when we download the Active Mq from below Maven
>>> link the jar name is " ActiveMQ all", however I could not found this
>>> from Active MQ website.
>>>
>>> I might miss the release date for 5.17, it would be helpful, if you
>>> could confirm the release date for the same.
>>>
>>>
>>> Regards,
>>> Deepti Sharma
>>> PMP® & ITIL
>>>
>>>
>>> -----Original Message-----
>>> From: Justin Bertram <jb...@apache.org>
>>> Sent: Tuesday, January 18, 2022 8:33 PM
>>> To: users@activemq.apache.org
>>> Subject: Re: Active MQ All Fix for CVE-2021-44228, CVSS 10.0
>>> (Critical)
>>>
>>>> Does Active MQ all (//
>>> https://mvnrepository.com/artifact/org.apache.activemq/activemq-all
>>> implementation 'org.apache.activemq:activemq-all:5.16.3') is same as
>>> Active MQ Classic?
>>>
>>> I don't understand the question. What exactly are you asking here?
>>>
>>>> When we are expecting the Active MQ 5.17.x version with Log4J 2.17.x?
>>>
>>> This question has *already* been answered on this thread (and many
>>> other places on this mailing list).
>>>
>>>
>>> Justin
>>>
>>> On Tue, Jan 18, 2022 at 8:27 AM Deepti Sharma S <
>>> deepti.s.sharma@ericsson.com.invalid> wrote:
>>>
>>>> Hello All,
>>>>
>>>> 2 questions:
>>>> Does Active MQ all (//
>>>> https://mvnrepository.com/artifact/org.apache.activemq/activemq-all
>>>> implementation 'org.apache.activemq:activemq-all:5.16.3') is same as
>>>> Active MQ Classic?
>>>> When we are expecting the Active MQ 5.17.x version with Log4J 2.17.x?
>>>>
>>>>
>>>> Regards,
>>>> Deepti Sharma
>>>> PMP® & ITIL
>>>>
>>>>
>>>> -----Original Message-----
>>>> From: Justin Bertram <jb...@apache.org>
>>>> Sent: Sunday, January 9, 2022 1:29 AM
>>>> To: users@activemq.apache.org
>>>> Subject: Re: Active MQ All Fix for CVE-2021-44228, CVSS 10.0
>>>> (Critical)
>>>>
>>>> For what it's worth, it's already noted on the index page as well as
>>>> the "News" page as well as noted in multiple emails on both the
>>>> users and dev mailing lists. Even searches for "activemq
>>>> CVE-2021-44228" on DuckDuckGo, Google, or Bing provide the relevant
>>>> information in the
>>> first few results.
>>>> In my opinion if folks aren't finding the information it's because
>>>> they aren't looking. There's always going to be folks like that
>>> unfortunately.
>>>>
>>>>
>>>> Justin
>>>>
>>>>
>>>> On Sat, Jan 8, 2022 at 10:07 AM Jean-Baptiste Onofre
>>>> <jb...@nanthrax.net>
>>>> wrote:
>>>>
>>>>> Hi Tim,
>>>>>
>>>>> Good idea, I think it would be helpful to have it directly on index
>>>>> page and contact yeah.
>>>>>
>>>>> I can do the change if everyone agree.
>>>>>
>>>>> Thanks !
>>>>>
>>>>> Regards
>>>>> JB
>>>>>
>>>>>> Le 8 janv. 2022 à 16:44, Tim Bain <tb...@alumni.duke.edu> a écrit :
>>>>>>
>>>>>> JB, should we put that link somewhere prominent on
>>>>>> https://activemq.apache.org/contact for a few months? I believe
>>>>>> all the users who posted questions about the CVE were first-time
>>>>>> posters who
>>>>> likely
>>>>>> went to that page before posting questions, so we might be able to
>>>>>> save everyone the time and frustration by heading off the question
>>>>>> for
>>>> folks.
>>>>>>
>>>>>> Tim
>>>>>>
>>>>>> On Sat, Jan 8, 2022, 6:01 AM Jean-Baptiste Onofre
>>>>>> <jb...@nanthrax.net>
>>>>> wrote:
>>>>>>
>>>>>>> Hi,
>>>>>>>
>>>>>>> Again, a new time:
>>>>>>>
>>>>>>> https://activemq.apache.org/news/cve-2021-44228
>>>>>>>
>>>>>>> AGAIN, ActiveMQ 5.15/5.16 are NOT affected by log4j 2.x CVE
>>>>>>> because they are using log4j 1.x
>>>>>>>
>>>>>>> ActiveMQ 5.17.x (not yet released) will use at least log4j 2.17.1.
>>>>>>>
>>>>>>> Regards
>>>>>>> JB
>>>>>>>
>>>>>>>> Le 8 janv. 2022 à 11:35, Deepti Sharma S
>>>>>>>> <deepti.s.sharma@ericsson.com
>>>>> .INVALID>
>>>>>>> a écrit :
>>>>>>>>
>>>>>>>> Hello Team,
>>>>>>>>
>>>>>>>> As we have Log4J vulnerability CVE-2021-44228, CVSS 10.0
>>>>>>>> (Critical),
>>>>> can
>>>>>>> you please confirm, when we have ActiveMQ all, version release
>>>>>>> which has this vulnerability fix and has Log4J version 2.17?
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>> Regards,
>>>>>>>> Deepti Sharma
>>>>>>>> PMP(r) & ITIL
>>>>>>>>
>>>>>>>>
>>>>>>>
>>>>>>>
>>>>>
>>>>>
>>>>
>>>>
>>>
>>>
>>
>
>
RE: Active MQ All Fix for CVE-2021-44228, CVSS 10.0 (Critical)
Posted by Deepti Sharma S <de...@ericsson.com.INVALID>.
Hello Matt,
We are using ActiveMQ all version 5.16.2 and 5.16.3.
Regards,
Deepti Sharma
PMP® & ITIL
-----Original Message-----
From: Matt Pavlovich <ma...@gmail.com>
Sent: Monday, February 7, 2022 10:50 PM
To: users@activemq.apache.org
Subject: Re: Active MQ All Fix for CVE-2021-44228, CVSS 10.0 (Critical)
Hello Deepti-
What version of ActiveMQ are you using? I suspect that you have incorrect information about CVE-2021-44228 and ActiveMQ.
-Matt Pavlovich
> On Feb 7, 2022, at 6:20 AM, Deepti Sharma S <de...@ericsson.com.INVALID> wrote:
>
> Hello Justin,
>
> I would like to follow-up on the release date of ActiveMQ 5.17.x version. I have seen the below thread, however could not found the exact date/week for the same.
>
> Could you please help here?
>
> Also can we build the ActiveMQ and upgrade the Log4J2.x on our own, can you please help to understand the procedure for the same.
>
>
> Regards,
> Deepti Sharma
> PMP® & ITIL
>
>
> -----Original Message-----
> From: Justin Bertram <jb...@apache.org>
> Sent: Tuesday, January 18, 2022 9:09 PM
> To: users@activemq.apache.org
> Subject: Re: Active MQ All Fix for CVE-2021-44228, CVSS 10.0
> (Critical)
>
>> when we download the Active Mq from below Maven link the jar name is "
> ActiveMQ all", however I could not found this from Active MQ website.
>
> All Maven artifacts are built from the source code. You can find links to all the ActiveMQ source code repositories on the website [1]. You need to look in the actual repository to see the code for a specific Maven module like "activemq-all" which can be found here [2].
>
>> I might miss the release date for 5.17...
>
> If you miss anything on the users mailing list you can go back and review the archive [3] which is linked from the website [4].
>
>
> Justin
>
> [1] https://activemq.apache.org/contributing
> [2]
> https://protect2.fireeye.com/v1/url?k=31323334-501d5122-313273af-45444
> 5555731-6ccda375f1ae0b10&q=1&e=8096bb19-015a-4b40-a864-13aaa0443b5a&u=
> https%3A%2F%2Fgithub.com%2Fapache%2Factivemq%2Ftree%2Fmain%2Factivemq-
> all [3] https://lists.apache.org/list.html?users@activemq.apache.org
> [4] https://activemq.apache.org/contact
>
> On Tue, Jan 18, 2022 at 9:06 AM Deepti Sharma S <de...@ericsson.com.invalid> wrote:
>
>> Hello Justin,
>>
>> The question is , when we download the Active Mq from below Maven
>> link the jar name is " ActiveMQ all", however I could not found this
>> from Active MQ website.
>>
>> I might miss the release date for 5.17, it would be helpful, if you
>> could confirm the release date for the same.
>>
>>
>> Regards,
>> Deepti Sharma
>> PMP® & ITIL
>>
>>
>> -----Original Message-----
>> From: Justin Bertram <jb...@apache.org>
>> Sent: Tuesday, January 18, 2022 8:33 PM
>> To: users@activemq.apache.org
>> Subject: Re: Active MQ All Fix for CVE-2021-44228, CVSS 10.0
>> (Critical)
>>
>>> Does Active MQ all (//
>> https://mvnrepository.com/artifact/org.apache.activemq/activemq-all
>> implementation 'org.apache.activemq:activemq-all:5.16.3') is same as
>> Active MQ Classic?
>>
>> I don't understand the question. What exactly are you asking here?
>>
>>> When we are expecting the Active MQ 5.17.x version with Log4J 2.17.x?
>>
>> This question has *already* been answered on this thread (and many
>> other places on this mailing list).
>>
>>
>> Justin
>>
>> On Tue, Jan 18, 2022 at 8:27 AM Deepti Sharma S <
>> deepti.s.sharma@ericsson.com.invalid> wrote:
>>
>>> Hello All,
>>>
>>> 2 questions:
>>> Does Active MQ all (//
>>> https://mvnrepository.com/artifact/org.apache.activemq/activemq-all
>>> implementation 'org.apache.activemq:activemq-all:5.16.3') is same as
>>> Active MQ Classic?
>>> When we are expecting the Active MQ 5.17.x version with Log4J 2.17.x?
>>>
>>>
>>> Regards,
>>> Deepti Sharma
>>> PMP® & ITIL
>>>
>>>
>>> -----Original Message-----
>>> From: Justin Bertram <jb...@apache.org>
>>> Sent: Sunday, January 9, 2022 1:29 AM
>>> To: users@activemq.apache.org
>>> Subject: Re: Active MQ All Fix for CVE-2021-44228, CVSS 10.0
>>> (Critical)
>>>
>>> For what it's worth, it's already noted on the index page as well as
>>> the "News" page as well as noted in multiple emails on both the
>>> users and dev mailing lists. Even searches for "activemq
>>> CVE-2021-44228" on DuckDuckGo, Google, or Bing provide the relevant
>>> information in the
>> first few results.
>>> In my opinion if folks aren't finding the information it's because
>>> they aren't looking. There's always going to be folks like that
>> unfortunately.
>>>
>>>
>>> Justin
>>>
>>>
>>> On Sat, Jan 8, 2022 at 10:07 AM Jean-Baptiste Onofre
>>> <jb...@nanthrax.net>
>>> wrote:
>>>
>>>> Hi Tim,
>>>>
>>>> Good idea, I think it would be helpful to have it directly on index
>>>> page and contact yeah.
>>>>
>>>> I can do the change if everyone agree.
>>>>
>>>> Thanks !
>>>>
>>>> Regards
>>>> JB
>>>>
>>>>> Le 8 janv. 2022 à 16:44, Tim Bain <tb...@alumni.duke.edu> a écrit :
>>>>>
>>>>> JB, should we put that link somewhere prominent on
>>>>> https://activemq.apache.org/contact for a few months? I believe
>>>>> all the users who posted questions about the CVE were first-time
>>>>> posters who
>>>> likely
>>>>> went to that page before posting questions, so we might be able to
>>>>> save everyone the time and frustration by heading off the question
>>>>> for
>>> folks.
>>>>>
>>>>> Tim
>>>>>
>>>>> On Sat, Jan 8, 2022, 6:01 AM Jean-Baptiste Onofre
>>>>> <jb...@nanthrax.net>
>>>> wrote:
>>>>>
>>>>>> Hi,
>>>>>>
>>>>>> Again, a new time:
>>>>>>
>>>>>> https://activemq.apache.org/news/cve-2021-44228
>>>>>>
>>>>>> AGAIN, ActiveMQ 5.15/5.16 are NOT affected by log4j 2.x CVE
>>>>>> because they are using log4j 1.x
>>>>>>
>>>>>> ActiveMQ 5.17.x (not yet released) will use at least log4j 2.17.1.
>>>>>>
>>>>>> Regards
>>>>>> JB
>>>>>>
>>>>>>> Le 8 janv. 2022 à 11:35, Deepti Sharma S
>>>>>>> <deepti.s.sharma@ericsson.com
>>>> .INVALID>
>>>>>> a écrit :
>>>>>>>
>>>>>>> Hello Team,
>>>>>>>
>>>>>>> As we have Log4J vulnerability CVE-2021-44228, CVSS 10.0
>>>>>>> (Critical),
>>>> can
>>>>>> you please confirm, when we have ActiveMQ all, version release
>>>>>> which has this vulnerability fix and has Log4J version 2.17?
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> Regards,
>>>>>>> Deepti Sharma
>>>>>>> PMP(r) & ITIL
>>>>>>>
>>>>>>>
>>>>>>
>>>>>>
>>>>
>>>>
>>>
>>>
>>
>>
>
Re: Active MQ All Fix for CVE-2021-44228, CVSS 10.0 (Critical)
Posted by Matt Pavlovich <ma...@gmail.com>.
Hello Deepti-
What version of ActiveMQ are you using? I suspect that you have incorrect information about CVE-2021-44228 and ActiveMQ.
-Matt Pavlovich
> On Feb 7, 2022, at 6:20 AM, Deepti Sharma S <de...@ericsson.com.INVALID> wrote:
>
> Hello Justin,
>
> I would like to follow-up on the release date of ActiveMQ 5.17.x version. I have seen the below thread, however could not found the exact date/week for the same.
>
> Could you please help here?
>
> Also can we build the ActiveMQ and upgrade the Log4J2.x on our own, can you please help to understand the procedure for the same.
>
>
> Regards,
> Deepti Sharma
> PMP® & ITIL
>
>
> -----Original Message-----
> From: Justin Bertram <jb...@apache.org>
> Sent: Tuesday, January 18, 2022 9:09 PM
> To: users@activemq.apache.org
> Subject: Re: Active MQ All Fix for CVE-2021-44228, CVSS 10.0 (Critical)
>
>> when we download the Active Mq from below Maven link the jar name is "
> ActiveMQ all", however I could not found this from Active MQ website.
>
> All Maven artifacts are built from the source code. You can find links to all the ActiveMQ source code repositories on the website [1]. You need to look in the actual repository to see the code for a specific Maven module like "activemq-all" which can be found here [2].
>
>> I might miss the release date for 5.17...
>
> If you miss anything on the users mailing list you can go back and review the archive [3] which is linked from the website [4].
>
>
> Justin
>
> [1] https://activemq.apache.org/contributing
> [2] https://github.com/apache/activemq/tree/main/activemq-all
> [3] https://lists.apache.org/list.html?users@activemq.apache.org
> [4] https://activemq.apache.org/contact
>
> On Tue, Jan 18, 2022 at 9:06 AM Deepti Sharma S <de...@ericsson.com.invalid> wrote:
>
>> Hello Justin,
>>
>> The question is , when we download the Active Mq from below Maven link
>> the jar name is " ActiveMQ all", however I could not found this from
>> Active MQ website.
>>
>> I might miss the release date for 5.17, it would be helpful, if you
>> could confirm the release date for the same.
>>
>>
>> Regards,
>> Deepti Sharma
>> PMP® & ITIL
>>
>>
>> -----Original Message-----
>> From: Justin Bertram <jb...@apache.org>
>> Sent: Tuesday, January 18, 2022 8:33 PM
>> To: users@activemq.apache.org
>> Subject: Re: Active MQ All Fix for CVE-2021-44228, CVSS 10.0
>> (Critical)
>>
>>> Does Active MQ all (//
>> https://mvnrepository.com/artifact/org.apache.activemq/activemq-all
>> implementation 'org.apache.activemq:activemq-all:5.16.3') is same as
>> Active MQ Classic?
>>
>> I don't understand the question. What exactly are you asking here?
>>
>>> When we are expecting the Active MQ 5.17.x version with Log4J 2.17.x?
>>
>> This question has *already* been answered on this thread (and many
>> other places on this mailing list).
>>
>>
>> Justin
>>
>> On Tue, Jan 18, 2022 at 8:27 AM Deepti Sharma S <
>> deepti.s.sharma@ericsson.com.invalid> wrote:
>>
>>> Hello All,
>>>
>>> 2 questions:
>>> Does Active MQ all (//
>>> https://mvnrepository.com/artifact/org.apache.activemq/activemq-all
>>> implementation 'org.apache.activemq:activemq-all:5.16.3') is same as
>>> Active MQ Classic?
>>> When we are expecting the Active MQ 5.17.x version with Log4J 2.17.x?
>>>
>>>
>>> Regards,
>>> Deepti Sharma
>>> PMP® & ITIL
>>>
>>>
>>> -----Original Message-----
>>> From: Justin Bertram <jb...@apache.org>
>>> Sent: Sunday, January 9, 2022 1:29 AM
>>> To: users@activemq.apache.org
>>> Subject: Re: Active MQ All Fix for CVE-2021-44228, CVSS 10.0
>>> (Critical)
>>>
>>> For what it's worth, it's already noted on the index page as well as
>>> the "News" page as well as noted in multiple emails on both the
>>> users and dev mailing lists. Even searches for "activemq
>>> CVE-2021-44228" on DuckDuckGo, Google, or Bing provide the relevant
>>> information in the
>> first few results.
>>> In my opinion if folks aren't finding the information it's because
>>> they aren't looking. There's always going to be folks like that
>> unfortunately.
>>>
>>>
>>> Justin
>>>
>>>
>>> On Sat, Jan 8, 2022 at 10:07 AM Jean-Baptiste Onofre
>>> <jb...@nanthrax.net>
>>> wrote:
>>>
>>>> Hi Tim,
>>>>
>>>> Good idea, I think it would be helpful to have it directly on
>>>> index page and contact yeah.
>>>>
>>>> I can do the change if everyone agree.
>>>>
>>>> Thanks !
>>>>
>>>> Regards
>>>> JB
>>>>
>>>>> Le 8 janv. 2022 à 16:44, Tim Bain <tb...@alumni.duke.edu> a écrit :
>>>>>
>>>>> JB, should we put that link somewhere prominent on
>>>>> https://activemq.apache.org/contact for a few months? I believe
>>>>> all the users who posted questions about the CVE were first-time
>>>>> posters who
>>>> likely
>>>>> went to that page before posting questions, so we might be able
>>>>> to save everyone the time and frustration by heading off the
>>>>> question for
>>> folks.
>>>>>
>>>>> Tim
>>>>>
>>>>> On Sat, Jan 8, 2022, 6:01 AM Jean-Baptiste Onofre
>>>>> <jb...@nanthrax.net>
>>>> wrote:
>>>>>
>>>>>> Hi,
>>>>>>
>>>>>> Again, a new time:
>>>>>>
>>>>>> https://activemq.apache.org/news/cve-2021-44228
>>>>>>
>>>>>> AGAIN, ActiveMQ 5.15/5.16 are NOT affected by log4j 2.x CVE
>>>>>> because they are using log4j 1.x
>>>>>>
>>>>>> ActiveMQ 5.17.x (not yet released) will use at least log4j 2.17.1.
>>>>>>
>>>>>> Regards
>>>>>> JB
>>>>>>
>>>>>>> Le 8 janv. 2022 à 11:35, Deepti Sharma S
>>>>>>> <deepti.s.sharma@ericsson.com
>>>> .INVALID>
>>>>>> a écrit :
>>>>>>>
>>>>>>> Hello Team,
>>>>>>>
>>>>>>> As we have Log4J vulnerability CVE-2021-44228, CVSS 10.0
>>>>>>> (Critical),
>>>> can
>>>>>> you please confirm, when we have ActiveMQ all, version release
>>>>>> which has this vulnerability fix and has Log4J version 2.17?
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> Regards,
>>>>>>> Deepti Sharma
>>>>>>> PMP(r) & ITIL
>>>>>>>
>>>>>>>
>>>>>>
>>>>>>
>>>>
>>>>
>>>
>>>
>>
>>
>
Re: Active MQ All Fix for CVE-2021-44228, CVSS 10.0 (Critical)
Posted by Justin Bertram <jb...@apache.org>.
> I would like to follow-up on the release date of ActiveMQ 5.17.x version.
I have seen the below thread, however could not found the exact date/week
for the same.
As noted previously, there is no exact release date. There is only a
projection about when the release will go up for a vote.
Previously it was projected that the release would go up for a vote in
early February. However, right before that time came a few issues were
discovered with some of the commits. Those issues need to be resolved
before the release can be put to a vote. I don't know what the current
projection is. I assume it's as-soon-as-possible.
Justin
On Mon, Feb 7, 2022 at 6:21 AM Deepti Sharma S
<de...@ericsson.com.invalid> wrote:
> Hello Justin,
>
> I would like to follow-up on the release date of ActiveMQ 5.17.x version.
> I have seen the below thread, however could not found the exact date/week
> for the same.
>
> Could you please help here?
>
> Also can we build the ActiveMQ and upgrade the Log4J2.x on our own, can
> you please help to understand the procedure for the same.
>
>
> Regards,
> Deepti Sharma
> PMP® & ITIL
>
>
> -----Original Message-----
> From: Justin Bertram <jb...@apache.org>
> Sent: Tuesday, January 18, 2022 9:09 PM
> To: users@activemq.apache.org
> Subject: Re: Active MQ All Fix for CVE-2021-44228, CVSS 10.0 (Critical)
>
> > when we download the Active Mq from below Maven link the jar name is "
> ActiveMQ all", however I could not found this from Active MQ website.
>
> All Maven artifacts are built from the source code. You can find links to
> all the ActiveMQ source code repositories on the website [1]. You need to
> look in the actual repository to see the code for a specific Maven module
> like "activemq-all" which can be found here [2].
>
> > I might miss the release date for 5.17...
>
> If you miss anything on the users mailing list you can go back and review
> the archive [3] which is linked from the website [4].
>
>
> Justin
>
> [1] https://activemq.apache.org/contributing
> [2] https://github.com/apache/activemq/tree/main/activemq-all
> [3] https://lists.apache.org/list.html?users@activemq.apache.org
> [4] https://activemq.apache.org/contact
>
> On Tue, Jan 18, 2022 at 9:06 AM Deepti Sharma S <
> deepti.s.sharma@ericsson.com.invalid> wrote:
>
> > Hello Justin,
> >
> > The question is , when we download the Active Mq from below Maven link
> > the jar name is " ActiveMQ all", however I could not found this from
> > Active MQ website.
> >
> > I might miss the release date for 5.17, it would be helpful, if you
> > could confirm the release date for the same.
> >
> >
> > Regards,
> > Deepti Sharma
> > PMP® & ITIL
> >
> >
> > -----Original Message-----
> > From: Justin Bertram <jb...@apache.org>
> > Sent: Tuesday, January 18, 2022 8:33 PM
> > To: users@activemq.apache.org
> > Subject: Re: Active MQ All Fix for CVE-2021-44228, CVSS 10.0
> > (Critical)
> >
> > > Does Active MQ all (//
> > https://mvnrepository.com/artifact/org.apache.activemq/activemq-all
> > implementation 'org.apache.activemq:activemq-all:5.16.3') is same as
> > Active MQ Classic?
> >
> > I don't understand the question. What exactly are you asking here?
> >
> > > When we are expecting the Active MQ 5.17.x version with Log4J 2.17.x?
> >
> > This question has *already* been answered on this thread (and many
> > other places on this mailing list).
> >
> >
> > Justin
> >
> > On Tue, Jan 18, 2022 at 8:27 AM Deepti Sharma S <
> > deepti.s.sharma@ericsson.com.invalid> wrote:
> >
> > > Hello All,
> > >
> > > 2 questions:
> > > Does Active MQ all (//
> > > https://mvnrepository.com/artifact/org.apache.activemq/activemq-all
> > > implementation 'org.apache.activemq:activemq-all:5.16.3') is same as
> > > Active MQ Classic?
> > > When we are expecting the Active MQ 5.17.x version with Log4J 2.17.x?
> > >
> > >
> > > Regards,
> > > Deepti Sharma
> > > PMP® & ITIL
> > >
> > >
> > > -----Original Message-----
> > > From: Justin Bertram <jb...@apache.org>
> > > Sent: Sunday, January 9, 2022 1:29 AM
> > > To: users@activemq.apache.org
> > > Subject: Re: Active MQ All Fix for CVE-2021-44228, CVSS 10.0
> > > (Critical)
> > >
> > > For what it's worth, it's already noted on the index page as well as
> > > the "News" page as well as noted in multiple emails on both the
> > > users and dev mailing lists. Even searches for "activemq
> > > CVE-2021-44228" on DuckDuckGo, Google, or Bing provide the relevant
> > > information in the
> > first few results.
> > > In my opinion if folks aren't finding the information it's because
> > > they aren't looking. There's always going to be folks like that
> > unfortunately.
> > >
> > >
> > > Justin
> > >
> > >
> > > On Sat, Jan 8, 2022 at 10:07 AM Jean-Baptiste Onofre
> > > <jb...@nanthrax.net>
> > > wrote:
> > >
> > > > Hi Tim,
> > > >
> > > > Good idea, I think it would be helpful to have it directly on
> > > > index page and contact yeah.
> > > >
> > > > I can do the change if everyone agree.
> > > >
> > > > Thanks !
> > > >
> > > > Regards
> > > > JB
> > > >
> > > > > Le 8 janv. 2022 à 16:44, Tim Bain <tb...@alumni.duke.edu> a écrit
> :
> > > > >
> > > > > JB, should we put that link somewhere prominent on
> > > > > https://activemq.apache.org/contact for a few months? I believe
> > > > > all the users who posted questions about the CVE were first-time
> > > > > posters who
> > > > likely
> > > > > went to that page before posting questions, so we might be able
> > > > > to save everyone the time and frustration by heading off the
> > > > > question for
> > > folks.
> > > > >
> > > > > Tim
> > > > >
> > > > > On Sat, Jan 8, 2022, 6:01 AM Jean-Baptiste Onofre
> > > > > <jb...@nanthrax.net>
> > > > wrote:
> > > > >
> > > > >> Hi,
> > > > >>
> > > > >> Again, a new time:
> > > > >>
> > > > >> https://activemq.apache.org/news/cve-2021-44228
> > > > >>
> > > > >> AGAIN, ActiveMQ 5.15/5.16 are NOT affected by log4j 2.x CVE
> > > > >> because they are using log4j 1.x
> > > > >>
> > > > >> ActiveMQ 5.17.x (not yet released) will use at least log4j 2.17.1.
> > > > >>
> > > > >> Regards
> > > > >> JB
> > > > >>
> > > > >>> Le 8 janv. 2022 à 11:35, Deepti Sharma S
> > > > >>> <deepti.s.sharma@ericsson.com
> > > > .INVALID>
> > > > >> a écrit :
> > > > >>>
> > > > >>> Hello Team,
> > > > >>>
> > > > >>> As we have Log4J vulnerability CVE-2021-44228, CVSS 10.0
> > > > >>> (Critical),
> > > > can
> > > > >> you please confirm, when we have ActiveMQ all, version release
> > > > >> which has this vulnerability fix and has Log4J version 2.17?
> > > > >>>
> > > > >>>
> > > > >>>
> > > > >>> Regards,
> > > > >>> Deepti Sharma
> > > > >>> PMP(r) & ITIL
> > > > >>>
> > > > >>>
> > > > >>
> > > > >>
> > > >
> > > >
> > >
> > >
> >
> >
>
>