That version is probably a commercial release. This blog post talks about version 5.3.42 as commercial https://spring.io/blog/2024/11/15/spring-framework-cve-2024-38828-published
So obviously we won't be upgrading to anything beyond 5.3.39 as that is the last open source release. On Tue, Nov 26, 2024 at 11:50 AM Justin Bertram <jbert...@apache.org> wrote: > > ...5.3.41 resolves those vulnerabilities. > > There is no release for Spring 5.3.41. It is not tagged in their repo [1] > and it is not in Maven [2]. > > > What version of AMQ will be updating Spring to that version? > > That remains to be seen since Spring 5.3.41 isn't yet released. > Furthermore, 5.3.40 is also not yet released. > > > Shouldn't AMQ include the latest Spring? > > Based on the evidence Spring 5.3.39 _is_ the latest release. > > What has given you the impression that Spring 5.3.41 is available? > > > Justin > > [1] https://github.com/spring-projects/spring-framework/tags > [2] https://repo1.maven.org/maven2/org/springframework/spring-core/ > > On Tue, Nov 26, 2024 at 10:20 AM Matthew Gay > <matthew....@broadcom.com.invalid> wrote: > > > Sorry, I got my versions mixed up. > > > > Spring 5.3.39 is currently shipped with AMQ and is vulnerable. > > 5.3.41 resolves those vulnerabilities. > > > > What version of AMQ will be updating Spring to that version? > > I see on your link provided (thank you) that it is still 5.3.39 with a > > release date of late December. > > > > Shouldn't AMQ include the latest Spring? > > > > > > Matthew Gay > > > > Principal Support Engineer | Agile Operations Division > > > > Broadcom > > > > matthew....@broadcom.com > > > > Twitter <https://twitter.com/BroadcomSW> | LinkedIn > > <https://www.linkedin.com/company/broadcomsoftware> > > > > > > *To help expedite routing to the correct SME, please follow these > **SUGGESTIONS > > <https://knowledge.broadcom.com/external/article?articleId=275717> when > > opening a DX NetOps case* > > > > > > On Tue, Nov 26, 2024 at 10:57 AM Jean-Baptiste Onofré <j...@nanthrax.net> > > wrote: > > > >> Hi Matt > >> > >> Not sure I understand: Spring 5.18.41 doesn't exist afaik ( > >> https://repo1.maven.org/maven2/org/springframework/spring-core/). > >> > >> ActiveMQ 5.18.x is using Spring 5.3.39. > >> > >> You can find Spring versions used on the table here: > >> https://activemq.apache.org/components/classic/download/ (in the > >> schedule & > >> status section). > >> > >> Regards > >> JB > >> > >> On Tue, Nov 26, 2024 at 4:45 PM Matthew Gay > >> <matthew....@broadcom.com.invalid> wrote: > >> > >> > Hi Team, > >> > > >> > Is there any timeline or versioning available for when AMQ will update > >> to > >> > Spring 5.18.41? > >> > > >> > Thanks! > >> > Matt > >> > > >> > > >> > Matthew Gay > >> > > >> > Principal Support Engineer | Agile Operations Division > >> > > >> > Broadcom > >> > > >> > matthew....@broadcom.com > >> > > >> > Twitter <https://twitter.com/BroadcomSW> | LinkedIn > >> > <https://www.linkedin.com/company/broadcomsoftware> > >> > > >> > > >> > *To help expedite routing to the correct SME, please follow these > >> **SUGGESTIONS > >> > <https://knowledge.broadcom.com/external/article?articleId=275717> > when > >> > opening a DX NetOps case* > >> > > >> > This electronic communication and the information and any files > >> > transmitted with it, or attached to it, are confidential and are > >> intended > >> > solely for the use of the individual or entity to whom it is addressed > >> and > >> > may contain information that is confidential, legally privileged, > >> protected > >> > by privacy laws, or otherwise restricted from disclosure to anyone > >> else. If > >> > you are not the intended recipient or the person responsible for > >> delivering > >> > the e-mail to the intended recipient, you are hereby notified that any > >> use, > >> > copying, distributing, dissemination, forwarding, printing, or copying > >> of > >> > this e-mail is strictly prohibited. If you received this e-mail in > >> error, > >> > please return the e-mail to the sender, delete it from your computer, > >> and > >> > destroy any printed copy of it. > >> > > > > This electronic communication and the information and any files > > transmitted with it, or attached to it, are confidential and are intended > > solely for the use of the individual or entity to whom it is addressed > and > > may contain information that is confidential, legally privileged, > protected > > by privacy laws, or otherwise restricted from disclosure to anyone else. > If > > you are not the intended recipient or the person responsible for > delivering > > the e-mail to the intended recipient, you are hereby notified that any > use, > > copying, distributing, dissemination, forwarding, printing, or copying of > > this e-mail is strictly prohibited. If you received this e-mail in error, > > please return the e-mail to the sender, delete it from your computer, and > > destroy any printed copy of it. >
