Hi, I previously posted this to the private list (last year), but I didn't get any reply - so maybe I'll have more luck here :-)
I'd like to clear up 3 ActiveMQ CVEs that are reported at NIST, which have no "fix" version associated with them. Please give me some feedback on the following: 1) https://nvd.nist.gov/vuln/detail/CVE-2015-5182 ( https://bugzilla.redhat.com/show_bug.cgi?id=1248809). The redhat bug is marked as "WONTFIX", so I'm not sure if this was accepted as a valid issue or not? 2) https://nvd.nist.gov/vuln/detail/CVE-2015-5183. This is reported against the HawtIO console for AMQ. If the fix was in HawtIO, and not AMQ, and we don't bundle Hawt IO, then the CPE is invalid, as the issue has nothing to do with AMQ. Could someone confirm this? Was there any fix made to the AMQ codebase for this issue? 3) https://nvd.nist.gov/vuln/detail/CVE-2015-5184. This is reported against the HawtIO console for AMQ. If the fix was in HawtIO, and not AMQ, and we don't bundle Hawt IO, then the CPE is invalid, as the issue has nothing to do with AMQ. Could someone confirm this? Was there any fix made to the AMQ codebase for this issue? I can communicate the findings with NIST to update the CVEs if I get some feedback. Colm.
