Re: Re: CVE-2024-22243 Spring Framework Open Redirect Vulnerability - ActiveMQ 5.3.30

Hi, By the way, I will update to Spring 6.1.5, 6.0.18, 5.3.33 as a new CVE has been published. As ActiveMQ 6.1.0 vote is almost complete, I will release this one and prepare 6.1.1 including Spring 6.1.5 update. Regards JB On Thu, Mar 14, 2024 at 5:09 PM Jean-Baptiste Onofré wrote: > > Hi

Re: Re: CVE-2024-22243 Spring Framework Open Redirect Vulnerability - ActiveMQ 5.3.30

Hi Stefan Here's the Jira: https://issues.apache.org/jira/browse/AMQ-9453 I will close ActiveMQ 6.1.0 vote and promote the release, then I will submit 5.18.4 to vote. Regards JB On Thu, Mar 14, 2024 at 4:29 PM Boeltl, Stefan wrote: > > Hi Jean-Baptiste, > > Looking at >

RE: Re: CVE-2024-22243 Spring Framework Open Redirect Vulnerability - ActiveMQ 5.3.30

Hi Jean-Baptiste, Looking at https://mvnrepository.com/artifact/org.springframework/spring-web/5.3.31 I can see that CVE-2024-22243 is still there and fixed only in 5.3.32:

Re: CVE-2024-22243 Spring Framework Open Redirect Vulnerability - ActiveMQ 5.3.30

Thank you. Sorry about that. Is there a release date on 5.18.4? And furthermore - is ActiveMQ even vulnerable to this on versions below 5.18.4? On Thu, Mar 7, 2024 at 10:24 AM Jean-Baptiste Onofré wrote: > Hi Matt, > > I think you are missing the ActiveMQ version and Spring version. > >

Re: CVE-2024-22243 Spring Framework Open Redirect Vulnerability - ActiveMQ 5.3.30

Hi Matt, I think you are missing the ActiveMQ version and Spring version. 5.3.30 is the Spring version, used in ActiveMQ 5.18.x. ActiveMQ 5.18.4 will upgrade to Spring 5.3.31 fixing the CVE. Regards JB On Thu, Mar 7, 2024 at 2:25 PM Matthew Gay wrote: > > Good Morning, > > We are receiving