To be clear, the project website (which you asked about originally) is supposed to be updated immediately after the notification emails are sent, before ASF security pushes the CVE to MITRE. From personal experience, dealing with security issues involves many steps and small details, not to mention the actual fix. It's easy to miss a step as happened here.
Justin On Wed, Mar 4, 2026 at 2:50 PM Justin Bertram <[email protected]> wrote: > The Apache process requires sending notification emails to the relevant > mailing lists first, then ASF security pushes the CVE to the central > database. > > > Justin > > On Wed, Mar 4, 2026 at 2:43 PM Casey A. Owen via users < > [email protected]> wrote: > >> One last question, just to make sure I understand y’all’s processes: >> >> Does Apache typically update the website at the same time email >> notifications are issued, or is it updated on a less frequent basis? I’d >> like to make sure we’re monitoring the most current source. >> >> >> >> *From:* Christopher Shannon <[email protected]> >> *Sent:* Tuesday, March 3, 2026 6:50 PM >> *To:* [email protected] >> *Cc:* [email protected]; [email protected]; Casey A. Owen < >> [email protected]> >> *Subject:* **External Email** Re: Apache ActiveMQ: CVE-2025-66168 / >> CVE-2025-27533 >> >> >> >> STOP! This isNOT an SPP email. Be very cautious of any links or >> attachments unless you recognize this sender and are exp >> <#m_-196794707208638708_m_-8909847321744678736_link>͏͏ >> >> [image: External email] >> <https://summary.us1.defend.egress.com/v3/summary?ref=email&crId=69a781c8da34e623e6465b1c&lang=en> >> >> *External email * >> <https://summary.us1.defend.egress.com/v3/summary?ref=email&crId=69a781c8da34e623e6465b1c&lang=en> >> >> [image: External email] >> <https://summary.us1.defend.egress.com/v3/summary?ref=email&crId=69a781c8da34e623e6465b1c&lang=en> >> >> >> >> *STOP!* This is *NOT* an SPP email. >> *Be very cautious* of any links or attachments unless you recognize this >> sender and are expecting this email. >> *Please click the "Report Phish" button if you are unsure about this >> email.* >> >> I just pushed the missing CVE notices to the website, all of the 2025 >> notices are now there. >> >> >> >> Chris >> >> >> >> On Tue, Mar 3, 2026 at 4:55 PM Jean-Baptiste Onofré <[email protected]> >> wrote: >> >> Hi, >> >> I am currently reviewing the security advisories. I have also received >> several inquiries from the community regarding the possibility of a new >> 5.18.x release that includes only the latest CVE fixes. >> >> I will begin preparing that release soon. >> >> Regards, >> JB >> >> On Tue, Mar 3, 2026 at 3:13 PM Casey A. Owen via users < >> [email protected]> wrote: >> >> > Hello, >> > >> > Could someone please clarify why the listed CVEs are not documented in >> the >> > Apache ActiveMQ Classic Security Advisories at >> > https://activemq.apache.org/components/classic/security? >> > >> > Thank you for your prompt attention to this matter, >> > >> > >> > Casey Owen | Sr Applications Analyst >> > >> > >> >>
