Hi, Jolokia access has been fixed in 5.16.6 (see https://activemq.apache.org/security-advisories.data/CVE-2024-32114-announcement.txt and https://activemq.apache.org/security-advisories.data/CVE-2022-41678-announcement.txt).
ActiveMQ 5.6.x is not maintained anymore, so, I strongly encourage the Debian community to update ActiveMQ package to at least 5.18.x. Regards JB On Sun, Nov 24, 2024 at 7:34 PM Arturo Borrero Gonzalez <art...@debian.org> wrote: > > Hi there, > > As part of the debian (E)LTS initiative, I'm working on trying to fix > CVE-2022-41678 on the activemq packages in Debian. In particular, I'm > interested > in Debian Jessie and activemq 5.6.0. > > The patch [0] to correct the jolokia config doesn't apply to the source code > we > have in Debian for activemq 5.6.0, and I suspect this is because that version > may not include the jolokia integration. > > I wanted to confirm this theory, but I'm not familiar enough with the activemq > codebase, or the history of older releases. > > Please, let me know how you think we should deal with CVE-2022-41678 in > activemq > 5.6.0. > > thanks, regards. > > [0] > https://github.com/apache/activemq/commit/bf65929fdc607d5bb953a507c2f0c7256ae8e5b6 > > --------------------------------------------------------------------- > To unsubscribe, e-mail: dev-unsubscr...@activemq.apache.org > For additional commands, e-mail: dev-h...@activemq.apache.org > For further information, visit: https://activemq.apache.org/contact > > --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@activemq.apache.org For additional commands, e-mail: dev-h...@activemq.apache.org For further information, visit: https://activemq.apache.org/contact
