Hi guys, Quick update about ActiveMQ 5.17.1 release.
We have the last update PRs to merge and a couple of fixes to do. I'm working on it this week. I will submit 5.17.1 to vote by the end of the week. Regards JB On Sat, Apr 2, 2022 at 6:11 AM Jean-Baptiste Onofré <j...@nanthrax.net> wrote: > > Hi Bruce; > > Yees ActiveMQ 5.17.x requires JDK 11, and yes, client part doesn't use > Spring (only broker does). > > Regards > JB > > On Fri, Apr 1, 2022 at 11:41 PM W B D <w...@users.sourceforge.net> wrote: > > > > Just to be clear, please advise, does ActiveMQ 5.17.x *require* JRE 11+ (or > > >1.8 in any case) at runtime, even if only using the client JAR (without > > the additional dependencies required to support embedded brokers using the > > vm and peer transports, for example). > > > > And second, please confirm, I don't need to worry about these Spring > > related vulnerabilities if using only the client JAR e.g. for tcp or > > failover connections, with no embedded brokers. > > > > If this second point is correct, then at least it shouldn't be a big deal > > if some of our client applications do need to reference ActiveMQ client > > version 5.16.4, even after our broker(s) have been upgraded to 5.17.1+. > > > > Thanks, > > Bruce D > > > > On Thu, Mar 31, 2022 at 7:56 AM Matt Pavlovich <mattr...@gmail.com> wrote: > > > > > One more note— the current exploit _requires_ JDK 9+, so many 5.15.x and > > > some 5.16.x would not be impacted. > > > > > > > On Mar 31, 2022, at 9:21 AM, Matt Pavlovich <mattr...@gmail.com> wrote: > > > > > > > > @JB — Agreed, so far there is no published exploit that would impact > > > ActiveMQ. > > > > > > > > Here is the lates I was able to find from Spring regarding backports > > > (sounds like no 4.x patch is coming): > > > > > > > > ref: https://github.com/spring-projects/spring-framework/issues/28260 < > > > https://github.com/spring-projects/spring-framework/issues/28260> > > > > > > > > Thanks, > > > > Matt Pavlovich > > > > > > > >> On Mar 31, 2022, at 9:10 AM, Jean-Baptiste Onofré <j...@nanthrax.net > > > <mailto:j...@nanthrax.net>> wrote: > > > >> > > > >> Hi, > > > >> > > > >> We can "invite" our users to upgrade to 5.17.x asap. However, a lot of > > > >> users are still using 5.15.x/5.16.x, so, I would not be too "strict" > > > >> ;) > > > >> > > > >> In the context of ActiveMQ, the CVE is not very severe IMHO. > > > >> > > > >> Regards > > > >> JB > > > >> > > > >> On Thu, Mar 31, 2022 at 4:05 PM Matt Pavlovich <mattr...@gmail.com > > > <mailto:mattr...@gmail.com>> wrote: > > > >>> > > > >>> @JB— > > > >>> > > > >>> The Spring release documentation is indicating that “older > > > unsupported” releases impacted— ie Spring 4.x used by ActiveMQ 5.16.x. > > > >>> > > > >>> If we do not get a Spring 4.x fix, we may need a corresponding > > > announcement deprecating 5.16.x. > > > >>> > > > >>> Thoughts? > > > >>> Matt Pavlovich > > > >>> > > > >>>> On Mar 31, 2022, at 7:47 AM, Jean-Baptiste Onofré <j...@nanthrax.net > > > <mailto:j...@nanthrax.net>> wrote: > > > >>>> > > > >>>> Hi guys, > > > >>>> > > > >>>> I would like to prepare ActiveMQ 5.17.1 release this week, probably > > > >>>> to > > > >>>> submit it to vote during the weekend or next week. > > > >>>> > > > >>>> One of the main reasons is to update to Spring 5.3.18 which includes > > > >>>> CVE fixes ( > > > https://spring.io/blog/2022/03/31/spring-framework-rce-early-announcement > > > <https://spring.io/blog/2022/03/31/spring-framework-rce-early-announcement > > > >). > > > >>>> I also have other fixes/updates to add. > > > >>>> > > > >>>> Regards > > > >>>> JB > > > >>> > > > > > > > > > >
