Hi, ActiveMQ 5.16.2 is being voted on at the moment: https://lists.apache.org/thread.html/r5b0094d52e4b43f60d3434ff20d3525290bf34bd85ff90af0b152aba%40%3Cdev.activemq.apache.org%3E, once that vote is complete, the binaries will be released on the website. You can pick up the binaries that are being voted on here: https://dist.apache.org/repos/dist/dev/activemq/activemq/5.16.2/, if you'd like to try them (and perhaps check with your security scanner). Anyone is welcome to vote on the release - so please do vote if you wish to - although the release will require a number of binding votes (from PMC members) to pass (https://www.apache.org/foundation/voting.html).
Jon On Tue, Apr 27, 2021 at 9:29 AM Simon Billingsley <simon.billings...@matrixx.com.invalid> wrote: > Hello, > Our company is using ActiveMQ v5.16.1 > We have scanned the software with a security scanner and it has found > critical/high severity security issues in 3 packages used by ActiveMQ: > - log4j_log4j > - org.apache.shiro_shiro-core > - com.thoughtworks.xstream_xstream > > Here is the list is CVEs found: > CVE ID > Severity Packages Package Version CVSS Fix Status > https://nvd.nist.gov/vuln/detail/CVE-2019-17571 critical log4j_log4j > 1.2.17 9.8 > https://nvd.nist.gov/vuln/detail/CVE-2020-17523 critical > org.apache.shiro_shiro-core 1.7.0 9.8 fixed in 1.7.1 > https://nvd.nist.gov/vuln/detail/CVE-2021-21342 critical > com.thoughtworks.xstream_xstream 1.4.15 9.1 fixed in 1.4.16 > https://nvd.nist.gov/vuln/detail/CVE-2021-21344 critical > com.thoughtworks.xstream_xstream 1.4.15 9.8 fixed in 1.4.16 > https://nvd.nist.gov/vuln/detail/CVE-2021-21345 critical > com.thoughtworks.xstream_xstream 1.4.15 9.9 fixed in 1.4.16 > https://nvd.nist.gov/vuln/detail/CVE-2021-21346 critical > com.thoughtworks.xstream_xstream 1.4.15 9.8 fixed in 1.4.16 > https://nvd.nist.gov/vuln/detail/CVE-2021-21347 critical > com.thoughtworks.xstream_xstream 1.4.15 9.8 fixed in 1.4.16 > https://nvd.nist.gov/vuln/detail/CVE-2021-21350 critical > com.thoughtworks.xstream_xstream 1.4.15 9.8 fixed in 1.4.16 > https://nvd.nist.gov/vuln/detail/CVE-2021-21351 critical > com.thoughtworks.xstream_xstream 1.4.15 9.1 fixed in 1.4.16 > https://nvd.nist.gov/vuln/detail/CVE-2021-21341 high > com.thoughtworks.xstream_xstream 1.4.15 7.5 fixed in 1.4.16 > https://nvd.nist.gov/vuln/detail/CVE-2021-21343 high > com.thoughtworks.xstream_xstream 1.4.15 7.5 fixed in 1.4.16 > https://nvd.nist.gov/vuln/detail/CVE-2021-21348 high > com.thoughtworks.xstream_xstream 1.4.15 7.5 fixed in 1.4.16 > https://nvd.nist.gov/vuln/detail/CVE-2021-21349 high > com.thoughtworks.xstream_xstream 1.4.15 8.6 fixed in 1.4.16 > > I found the following JIRAs related to these: > Upgrade Shiro: https://issues.apache.org/jira/browse/AMQ-8159 - RESOLVED > Upgrade XStream: https://issues.apache.org/jira/browse/AMQ-8197 - RESOLVED > Upgrade Log4J: https://issues.apache.org/jira/browse/AMQ-7426 - OPEN > > Please can you give me an ETA for when Apache ActiveMQ v5.16.2 will be > released? > > Best regards, > Simon. > > > > >