Still looking for hard confirmation Spring 4.x is impacted. This is document from VMWare that mentions “older unsupported versions”— https://tanzu.vmware.com/security/cve-2022-22965 <https://tanzu.vmware.com/security/cve-2022-22965>
> On Mar 31, 2022, at 9:05 AM, Matt Pavlovich <mattr...@gmail.com> wrote: > > @JB— > > The Spring release documentation is indicating that “older unsupported” > releases impacted— ie Spring 4.x used by ActiveMQ 5.16.x. > > If we do not get a Spring 4.x fix, we may need a corresponding announcement > deprecating 5.16.x. > > Thoughts? > Matt Pavlovich > >> On Mar 31, 2022, at 7:47 AM, Jean-Baptiste Onofré <j...@nanthrax.net> wrote: >> >> Hi guys, >> >> I would like to prepare ActiveMQ 5.17.1 release this week, probably to >> submit it to vote during the weekend or next week. >> >> One of the main reasons is to update to Spring 5.3.18 which includes >> CVE fixes >> (https://spring.io/blog/2022/03/31/spring-framework-rce-early-announcement). >> I also have other fixes/updates to add. >> >> Regards >> JB >
