Re: ActiveMQ cve vulnerabilities seen in latest version

2019-07-19 Thread Bruce Snyder 
JB, here's the email announcing the CVE and indicates that it was fixed in
the 5.15.6 release:

https://lists.apache.org/list.html?dev@activemq.apache.org:2018-9

Here is the JIRA issue:

https://issues.apache.org/jira/browse/AMQ-7047

I do see that this was cherry picked into the 5.15.x branch, so you should
be able to chase it down further from the info there.

Bruce

On Wed, Jul 3, 2019 at 10:39 PM Jean-Baptiste Onofré 
wrote:

> HI,
>
> I gonna take a look. If the CVE has been published, they should be fixed
> already. The point is more on which branch it has been fixed.
>
> So, let me do a pass as I'm preparing 5.15.10.
>
> Regards
> JB
>
> On 04/07/2019 06:01, venu madhav wrote:
> > Hi team,
> >
> > I am running a dummy project to scan the vulnerabilities using owasp
> > dependency-check. The project doesn't contain anything except for the
> > activemq jars added as dependencies in the pom.xml. Even when we use the
> > latest version of activemq-kahadb-store jar (5.15.9 version) we see some
> > vulnerabilities such as CVE-2018-11775 , CVE-2016-3088 which ideally
> > should be fixed in the latest release as per mentioned in the link:
> > https://activemq.apache.org/components/classic/security
> >
> > Can you please check and tell if the issue is not fixed or NVD database
> > is still showing the vulnerability even if the issue is fixed.
> >
> > I have attached the pom.xml and the dependency check reports for your
> > reference.
>
> --
> Jean-Baptiste Onofré
> jbono...@apache.org
> http://blog.nanthrax.net
> Talend - http://www.talend.com
>


-- 
perl -e 'print
unpack("u30","D0G)U8V4\@4VYY9&5R\"F)R=6-E+G-N>61Ehttp://bit.ly/2je6cQ
Blog: http://bsnyder.org/ 
Twitter: http://twitter.com/brucesnyder

Re: ActiveMQ cve vulnerabilities seen in latest version

2019-07-18 Thread venu madhav 
Hi JB,

Did you get a chance to look into this?  Can you please confirm if the
mentioned vulnerabilities are already fixed from activemq end?


Thanks and regards,
Venu

On Thu, Jul 4, 2019 at 10:09 AM Jean-Baptiste Onofré 
wrote:

> HI,
>
> I gonna take a look. If the CVE has been published, they should be fixed
> already. The point is more on which branch it has been fixed.
>
> So, let me do a pass as I'm preparing 5.15.10.
>
> Regards
> JB
>
> On 04/07/2019 06:01, venu madhav wrote:
> > Hi team,
> >
> > I am running a dummy project to scan the vulnerabilities using owasp
> > dependency-check. The project doesn't contain anything except for the
> > activemq jars added as dependencies in the pom.xml. Even when we use the
> > latest version of activemq-kahadb-store jar (5.15.9 version) we see some
> > vulnerabilities such as CVE-2018-11775 , CVE-2016-3088 which ideally
> > should be fixed in the latest release as per mentioned in the link:
> > https://activemq.apache.org/components/classic/security
> >
> > Can you please check and tell if the issue is not fixed or NVD database
> > is still showing the vulnerability even if the issue is fixed.
> >
> > I have attached the pom.xml and the dependency check reports for your
> > reference.
>
> --
> Jean-Baptiste Onofré
> jbono...@apache.org
> http://blog.nanthrax.net
> Talend - http://www.talend.com
>

Re: ActiveMQ cve vulnerabilities seen in latest version

2019-07-03 Thread Jean-Baptiste Onofré 
HI,

I gonna take a look. If the CVE has been published, they should be fixed
already. The point is more on which branch it has been fixed.

So, let me do a pass as I'm preparing 5.15.10.

Regards
JB

On 04/07/2019 06:01, venu madhav wrote:
> Hi team,
> 
> I am running a dummy project to scan the vulnerabilities using owasp
> dependency-check. The project doesn't contain anything except for the
> activemq jars added as dependencies in the pom.xml. Even when we use the
> latest version of activemq-kahadb-store jar (5.15.9 version) we see some
> vulnerabilities such as CVE-2018-11775 , CVE-2016-3088 which ideally
> should be fixed in the latest release as per mentioned in the link:
> https://activemq.apache.org/components/classic/security  
> 
> Can you please check and tell if the issue is not fixed or NVD database
> is still showing the vulnerability even if the issue is fixed.
> 
> I have attached the pom.xml and the dependency check reports for your
> reference.

-- 
Jean-Baptiste Onofré
jbono...@apache.org
http://blog.nanthrax.net
Talend - http://www.talend.com

ActiveMQ cve vulnerabilities seen in latest version

2019-07-03 Thread venu madhav 
Hi team,

I am running a dummy project to scan the vulnerabilities using owasp
dependency-check. The project doesn't contain anything except for the
activemq jars added as dependencies in the pom.xml. Even when we use the
latest version of activemq-kahadb-store jar (5.15.9 version) we see some
vulnerabilities such as CVE-2018-11775 , CVE-2016-3088 which ideally should
be fixed in the latest release as per mentioned in the link:
https://activemq.apache.org/components/classic/security

Can you please check and tell if the issue is not fixed or NVD database is
still showing the vulnerability even if the issue is fixed.

I have attached the pom.xml and the dependency check reports for your
reference.
http://maven.apache.org/POM/4.0.0; xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance;
  xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/maven-v4_0_0.xsd;>
  4.0.0
  abcd
  cd
  pom
  0.0.1-SNAPSHOT
  cd Maven Webapp
  http://maven.apache.org
  

  DependencyCheckProfile
  

  
  org.owasp
  dependency-check-maven
  5.0.0-M1
  
   

 check

   
  
  
   true
  
 

  
	
	
	
	

 org.owasp
 dependency-check-maven
 5.0.0-M1
 
  
   
aggregate
   
  
 

   
  
  
  
 
	org.apache.activemq
	5.15.9
	activemq-kahadb-store


	org.apache.activemq
	5.15.9
	activemq-broker


	org.apache.activemq
	5.15.9
	activemq-client



  
  


org.owasp
dependency-check-maven
1.2.8


maven-war-plugin
2.4

	WebContent
	false

			


cd
  
   
  test