Re: [VOTE] Apache ActiveMQ 6.1.0 release
+1 (non-binding) I made some tests on local projects. Thanks JB for the release! regards, François On 05/03/2024 18:38, Jean-Baptiste Onofré wrote: Hi guys, I submit Apache ActiveMQ "Classic" 6.1.0 release to your vote. This release includes: - New JMS2/3 operations support - Mapping javax / jakarta exception in openwire protocol - Add destination field on the job scheduler - Add org.apache.activemq.broker.BouncyCastleNotAdded property to control the bouncycastle addition in BrokerService classloader - Dependency upgrades (Spring 6.1.4, log4j 2.23.0, Jetty 11.0.20, ...) - and a lot more ! You can take a look on Release Notes for details: https://issues.apache.org/jira/secure/ReleaseNote.jspa?projectId=12311210&version=12353745 Maven Staging Repository: https://repository.apache.org/content/repositories/orgapacheactivemq-1387/ Dist Staging Repository: https://dist.apache.org/repos/dist/dev/activemq/activemq/6.1.0/ Git tag: activemq-6.1.0 Please vote to approve this release: [ ] +1 Approve the release [ ] -1 Don't approve the release (please provide specific comments) This vote will be open for at least 72 hours. Thanks ! Regards JB
CVE-2024-22243 Spring Framework Open Redirect Vulnerability - ActiveMQ 5.3.30
Good Morning, We are receiving scan reports regarding ActiveMQ being vulnerable to the above CVE. We have seen a couple emails that allude to ActiveMQ not being vulnerable. However, we are looking for a more official response indicating if it is, or is not vulnerable. And to add - when an updated version of ActiveMQ will be available on the 5.3.x line for this vulnerability. Thank you! Matt -- This electronic communication and the information and any files transmitted with it, or attached to it, are confidential and are intended solely for the use of the individual or entity to whom it is addressed and may contain information that is confidential, legally privileged, protected by privacy laws, or otherwise restricted from disclosure to anyone else. If you are not the intended recipient or the person responsible for delivering the e-mail to the intended recipient, you are hereby notified that any use, copying, distributing, dissemination, forwarding, printing, or copying of this e-mail is strictly prohibited. If you received this e-mail in error, please return the e-mail to the sender, delete it from your computer, and destroy any printed copy of it. smime.p7s Description: S/MIME Cryptographic Signature
Re: CVE-2024-22243 Spring Framework Open Redirect Vulnerability - ActiveMQ 5.3.30
Hi Matt, I think you are missing the ActiveMQ version and Spring version. 5.3.30 is the Spring version, used in ActiveMQ 5.18.x. ActiveMQ 5.18.4 will upgrade to Spring 5.3.31 fixing the CVE. Regards JB On Thu, Mar 7, 2024 at 2:25 PM Matthew Gay wrote: > > Good Morning, > > We are receiving scan reports regarding ActiveMQ being vulnerable to the > above CVE. > We have seen a couple emails that allude to ActiveMQ not being vulnerable. > > However, we are looking for a more official response indicating if it is, or > is not vulnerable. > And to add - when an updated version of ActiveMQ will be available on the > 5.3.x line for this vulnerability. > > Thank you! > Matt > > This electronic communication and the information and any files transmitted > with it, or attached to it, are confidential and are intended solely for the > use of the individual or entity to whom it is addressed and may contain > information that is confidential, legally privileged, protected by privacy > laws, or otherwise restricted from disclosure to anyone else. If you are not > the intended recipient or the person responsible for delivering the e-mail to > the intended recipient, you are hereby notified that any use, copying, > distributing, dissemination, forwarding, printing, or copying of this e-mail > is strictly prohibited. If you received this e-mail in error, please return > the e-mail to the sender, delete it from your computer, and destroy any > printed copy of it.
Re: CVE-2024-22243 Spring Framework Open Redirect Vulnerability - ActiveMQ 5.3.30
Thank you. Sorry about that. Is there a release date on 5.18.4? And furthermore - is ActiveMQ even vulnerable to this on versions below 5.18.4? On Thu, Mar 7, 2024 at 10:24 AM Jean-Baptiste Onofré wrote: > Hi Matt, > > I think you are missing the ActiveMQ version and Spring version. > > 5.3.30 is the Spring version, used in ActiveMQ 5.18.x. ActiveMQ 5.18.4 > will upgrade to Spring 5.3.31 fixing the CVE. > > Regards > JB > > On Thu, Mar 7, 2024 at 2:25 PM Matthew Gay > wrote: > > > > Good Morning, > > > > We are receiving scan reports regarding ActiveMQ being vulnerable to the > above CVE. > > We have seen a couple emails that allude to ActiveMQ not being > vulnerable. > > > > However, we are looking for a more official response indicating if it > is, or is not vulnerable. > > And to add - when an updated version of ActiveMQ will be available on > the 5.3.x line for this vulnerability. > > > > Thank you! > > Matt > > > > This electronic communication and the information and any files > transmitted with it, or attached to it, are confidential and are intended > solely for the use of the individual or entity to whom it is addressed and > may contain information that is confidential, legally privileged, protected > by privacy laws, or otherwise restricted from disclosure to anyone else. If > you are not the intended recipient or the person responsible for delivering > the e-mail to the intended recipient, you are hereby notified that any use, > copying, distributing, dissemination, forwarding, printing, or copying of > this e-mail is strictly prohibited. If you received this e-mail in error, > please return the e-mail to the sender, delete it from your computer, and > destroy any printed copy of it. > -- This electronic communication and the information and any files transmitted with it, or attached to it, are confidential and are intended solely for the use of the individual or entity to whom it is addressed and may contain information that is confidential, legally privileged, protected by privacy laws, or otherwise restricted from disclosure to anyone else. If you are not the intended recipient or the person responsible for delivering the e-mail to the intended recipient, you are hereby notified that any use, copying, distributing, dissemination, forwarding, printing, or copying of this e-mail is strictly prohibited. If you received this e-mail in error, please return the e-mail to the sender, delete it from your computer, and destroy any printed copy of it. smime.p7s Description: S/MIME Cryptographic Signature
Re: [VOTE] Apache ActiveMQ 6.1.0 release
+1 Cheers, Jamie On Thu, Mar 7, 2024 at 4:43 AM Francois Papon wrote: > > +1 (non-binding) > > I made some tests on local projects. > > Thanks JB for the release! > > regards, > > François > > On 05/03/2024 18:38, Jean-Baptiste Onofré wrote: > > Hi guys, > > > > I submit Apache ActiveMQ "Classic" 6.1.0 release to your vote. > > > > This release includes: > > - New JMS2/3 operations support > > - Mapping javax / jakarta exception in openwire protocol > > - Add destination field on the job scheduler > > - Add org.apache.activemq.broker.BouncyCastleNotAdded property to > > control the bouncycastle addition in BrokerService classloader > > - Dependency upgrades (Spring 6.1.4, log4j 2.23.0, Jetty 11.0.20, ...) > > - and a lot more ! > > > > You can take a look on Release Notes for details: > > https://issues.apache.org/jira/secure/ReleaseNote.jspa?projectId=12311210&version=12353745 > > > > Maven Staging Repository: > > https://repository.apache.org/content/repositories/orgapacheactivemq-1387/ > > > > Dist Staging Repository: > > https://dist.apache.org/repos/dist/dev/activemq/activemq/6.1.0/ > > > > Git tag: activemq-6.1.0 > > > > Please vote to approve this release: > > [ ] +1 Approve the release > > [ ] -1 Don't approve the release (please provide specific comments) > > > > This vote will be open for at least 72 hours. > > > > Thanks ! > > Regards > > JB
Re: [VOTE] Apache ActiveMQ 6.1.0 release
+1 (binding) - Downloaded dist tar.gz archive and confirmed various configurations using JDK 21 - Tested web console demo examples - Tested web console functions - Reviewed JIRA and release notes Thanks, Matt Pavlovich > On Mar 5, 2024, at 11:38 AM, Jean-Baptiste Onofré wrote: > > Hi guys, > > I submit Apache ActiveMQ "Classic" 6.1.0 release to your vote. > > This release includes: > - New JMS2/3 operations support > - Mapping javax / jakarta exception in openwire protocol > - Add destination field on the job scheduler > - Add org.apache.activemq.broker.BouncyCastleNotAdded property to > control the bouncycastle addition in BrokerService classloader > - Dependency upgrades (Spring 6.1.4, log4j 2.23.0, Jetty 11.0.20, ...) > - and a lot more ! > > You can take a look on Release Notes for details: > https://issues.apache.org/jira/secure/ReleaseNote.jspa?projectId=12311210&version=12353745 > > Maven Staging Repository: > https://repository.apache.org/content/repositories/orgapacheactivemq-1387/ > > Dist Staging Repository: > https://dist.apache.org/repos/dist/dev/activemq/activemq/6.1.0/ > > Git tag: activemq-6.1.0 > > Please vote to approve this release: > [ ] +1 Approve the release > [ ] -1 Don't approve the release (please provide specific comments) > > This vote will be open for at least 72 hours. > > Thanks ! > Regards > JB
Re: [VOTE] Apache ActiveMQ 6.1.0 release
Heads up— while working on another fix, I may have stubbled on a regression caused by the change below and may need to revert my +1 to a -1 Support space in filename: https://github.com/apache/activemq/pull/1162 INFO: Using default configuration Configurations are loaded in the following order: /etc/default/activemq /Users/activemq/.activemqrc "/Users/activemq/apache-activemq-6.1.0/"/bin/setenv This appears to cause the setenv to not be sourced and configs (such as JAAS login.config and JMX settings are not picked up at boot) I’m doing some additional testing and will report back, but I believe we need to hold the release until this is verified. Thanks, Matt > On Mar 7, 2024, at 2:05 PM, Matt Pavlovich wrote: > > +1 (binding) > > - Downloaded dist tar.gz archive and confirmed various configurations using > JDK 21 > - Tested web console demo examples > - Tested web console functions > - Reviewed JIRA and release notes > > Thanks, > Matt Pavlovich > >> On Mar 5, 2024, at 11:38 AM, Jean-Baptiste Onofré wrote: >> >> Hi guys, >> >> I submit Apache ActiveMQ "Classic" 6.1.0 release to your vote. >> >> This release includes: >> - New JMS2/3 operations support >> - Mapping javax / jakarta exception in openwire protocol >> - Add destination field on the job scheduler >> - Add org.apache.activemq.broker.BouncyCastleNotAdded property to >> control the bouncycastle addition in BrokerService classloader >> - Dependency upgrades (Spring 6.1.4, log4j 2.23.0, Jetty 11.0.20, ...) >> - and a lot more ! >> >> You can take a look on Release Notes for details: >> https://issues.apache.org/jira/secure/ReleaseNote.jspa?projectId=12311210&version=12353745 >> >> Maven Staging Repository: >> https://repository.apache.org/content/repositories/orgapacheactivemq-1387/ >> >> Dist Staging Repository: >> https://dist.apache.org/repos/dist/dev/activemq/activemq/6.1.0/ >> >> Git tag: activemq-6.1.0 >> >> Please vote to approve this release: >> [ ] +1 Approve the release >> [ ] -1 Don't approve the release (please provide specific comments) >> >> This vote will be open for at least 72 hours. >> >> Thanks ! >> Regards >> JB >
Re: [VOTE] Apache ActiveMQ 6.1.0 release
Hi Matt, I tested it on MacOS with zsh. I didn't have any issues. Let me double check. Thanks for the report! Regards JB On Thu, Mar 7, 2024 at 10:47 PM Matt Pavlovich wrote: > > Heads up— while working on another fix, I may have stubbled on a regression > caused by the change below and may need to revert my +1 to a -1 > > Support space in filename: > https://github.com/apache/activemq/pull/1162 > > INFO: Using default configuration > Configurations are loaded in the following order: /etc/default/activemq > /Users/activemq/.activemqrc > "/Users/activemq/apache-activemq-6.1.0/"/bin/setenv > > This appears to cause the setenv to not be sourced and configs (such as JAAS > login.config and JMX settings are not picked up at boot) > > I’m doing some additional testing and will report back, but I believe we need > to hold the release until this is verified. > > Thanks, > Matt > > > On Mar 7, 2024, at 2:05 PM, Matt Pavlovich wrote: > > > > +1 (binding) > > > > - Downloaded dist tar.gz archive and confirmed various configurations using > > JDK 21 > > - Tested web console demo examples > > - Tested web console functions > > - Reviewed JIRA and release notes > > > > Thanks, > > Matt Pavlovich > > > >> On Mar 5, 2024, at 11:38 AM, Jean-Baptiste Onofré > >> wrote: > >> > >> Hi guys, > >> > >> I submit Apache ActiveMQ "Classic" 6.1.0 release to your vote. > >> > >> This release includes: > >> - New JMS2/3 operations support > >> - Mapping javax / jakarta exception in openwire protocol > >> - Add destination field on the job scheduler > >> - Add org.apache.activemq.broker.BouncyCastleNotAdded property to > >> control the bouncycastle addition in BrokerService classloader > >> - Dependency upgrades (Spring 6.1.4, log4j 2.23.0, Jetty 11.0.20, ...) > >> - and a lot more ! > >> > >> You can take a look on Release Notes for details: > >> https://issues.apache.org/jira/secure/ReleaseNote.jspa?projectId=12311210&version=12353745 > >> > >> Maven Staging Repository: > >> https://repository.apache.org/content/repositories/orgapacheactivemq-1387/ > >> > >> Dist Staging Repository: > >> https://dist.apache.org/repos/dist/dev/activemq/activemq/6.1.0/ > >> > >> Git tag: activemq-6.1.0 > >> > >> Please vote to approve this release: > >> [ ] +1 Approve the release > >> [ ] -1 Don't approve the release (please provide specific comments) > >> > >> This vote will be open for at least 72 hours. > >> > >> Thanks ! > >> Regards > >> JB > > >
