Hi, We can "invite" our users to upgrade to 5.17.x asap. However, a lot of users are still using 5.15.x/5.16.x, so, I would not be too "strict" ;)
In the context of ActiveMQ, the CVE is not very severe IMHO. Regards JB On Thu, Mar 31, 2022 at 4:05 PM Matt Pavlovich <mattr...@gmail.com> wrote: > > @JB— > > The Spring release documentation is indicating that “older unsupported” > releases impacted— ie Spring 4.x used by ActiveMQ 5.16.x. > > If we do not get a Spring 4.x fix, we may need a corresponding announcement > deprecating 5.16.x. > > Thoughts? > Matt Pavlovich > > > On Mar 31, 2022, at 7:47 AM, Jean-Baptiste Onofré <j...@nanthrax.net> wrote: > > > > Hi guys, > > > > I would like to prepare ActiveMQ 5.17.1 release this week, probably to > > submit it to vote during the weekend or next week. > > > > One of the main reasons is to update to Spring 5.3.18 which includes > > CVE fixes > > (https://spring.io/blog/2022/03/31/spring-framework-rce-early-announcement). > > I also have other fixes/updates to add. > > > > Regards > > JB >
