> do you guys know the release date for 5.17. 0 See my previous message on this thread.
Justin On Thu, Jan 13, 2022 at 4:58 PM Yadlapalli, Srinivasa Rao < [email protected]> wrote: > Thank you > do you guys know the release date for 5.17. 0 > > > Thank you, > Srinivas > > > On Jan 13, 2022, at 4:07 PM, JB Onofré <[email protected]> wrote: > > > > Hi > > > > Big thank to Justin for the complete answer. Nothing to add, just again > thanks to Justin ;) > > > > And yes log4j2 upgrade PR will be ok soon, towards 5.17.0 vote. > > > > Regards > > JB > > > >> Le 13 janv. 2022 à 21:59, Justin Bertram <[email protected]> a écrit > : > >> > >> > >>> > >>> The official statement "the latest versions (i.e. 5.15.15 and 5.16.3) > use > >> Log4j 1.2.17 which is not impacted by CVE-2021-44228" is not accepted, > as > >> Log4j 1.2.17 has not been maintained since August 2015. > >> > >> The "official statement" [1] that you reference is only dealing with > >> CVE-2021-44228. It's not a general statement about all the security > >> vulnerabilities in Log4j 1.2.17. It remains a fact that Log4j 1.2.17 is > not > >> impacted by CVE-2021-44228. > >> > >>> Here an existing security vulnerability, (CVE-2019-17571) is not fixed > >> with the note "Users are urged to upgrade to Log4j 2". > >> > >> Regarding CVE-2019-17571 you can read more on this Jira [2]. In short, > as > >> noted by Jean-Baptiste Onofré, "ActiveMQ is not affected as it doesn't > use > >> the SocketServer. However, I think it makes sense to update/support > >> log4j2..." AMQ-7426 [3] was later created to track the work to upgrade > to > >> Log4j 2. > >> > >>> This situation will not be accepted by a number of large customers, > which > >> demand a timely exchange of this component to the officially released > new > >> Log4j version 2. > >> > >> Since you've sent this email to the public Apache ActiveMQ mailing lists > >> you're dealing with "community support" as described on the ActiveMQ > >> website [4]. As noted, this support is provided on a volunteer basis. > >> Furthermore, in the spirit of open-source, all community members are > >> encouraged (although certainly not required) to get involved. As noted > in a > >> recent position paper [5] from the Apache Software Foundation, > "Community > >> is defined by those who show up and do the work." I would strongly > >> encourage your organization, as an "intensive user of the Apache > >> technology," to avail itself of *all* the benefits of open source. With > >> your help to "do the work" this issue could potentially have been > resolved > >> long ago. > >> > >>> Therefore we ask you kindly to name and communicate an official release > >> date for ActiveMQ 5.17.0 (including the Log4j version 2). > >> > >> Given the volunteer nature of community support and how open-source > works > >> at Apache I'm not sure "an official release date" can be provided, at > least > >> not like you'd expect from a commercial software vendor. As noted on the > >> users mailing list as well as the Log4j 2 upgrade PR [6] (linked from > the > >> aforementioned statement about CVE-2021-44228 [1]), the current plan is > to > >> put a release up for vote at the end of January. All community members > can > >> vote on the release for 3 days, and if the vote passes then the release > >> should be done in early February. > >> > >> I hope that helps! > >> > >> > >> Justin > >> > >> [1] > https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Factivemq.apache.org%2Fnews%2Fcve-2021-44228&data=04%7C01%7C%7C13b426eeb5f54c3455ab08d9d6d8a7a0%7C344b7de6efed4961a165f32e6a42f482%7C0%7C1%7C637777048283299854%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&sdata=rZkJxGXjs7meMH5GSzJz6ZN1Oi53EmNKlIscwq6i8fk%3D&reserved=0 > >> [2] > https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fissues.apache.org%2Fjira%2Fbrowse%2FAMQ-7370&data=04%7C01%7C%7C13b426eeb5f54c3455ab08d9d6d8a7a0%7C344b7de6efed4961a165f32e6a42f482%7C0%7C1%7C637777048283299854%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&sdata=zMMYglkEXIVUjPnVNS3kOg5jQduGYxomNQLq7oAyBG0%3D&reserved=0 > >> [3] > https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fissues.apache.org%2Fjira%2Fbrowse%2FAMQ-7426&data=04%7C01%7C%7C13b426eeb5f54c3455ab08d9d6d8a7a0%7C344b7de6efed4961a165f32e6a42f482%7C0%7C1%7C637777048283299854%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&sdata=V2uyuVr5R9seRSNtBWZOk%2FV0kHIDepyBb40rz011bt4%3D&reserved=0 > >> [4] > https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Factivemq.apache.org%2Fsupport&data=04%7C01%7C%7C13b426eeb5f54c3455ab08d9d6d8a7a0%7C344b7de6efed4961a165f32e6a42f482%7C0%7C1%7C637777048283299854%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&sdata=VoDvAtJTBHVmlXYphArUvZIcSZ8Xdq12q5imGNFVbfo%3D&reserved=0 > >> [5] > https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fcwiki.apache.org%2Fconfluence%2Fdisplay%2FCOMDEV%2FPosition%2BPaper&data=04%7C01%7C%7C13b426eeb5f54c3455ab08d9d6d8a7a0%7C344b7de6efed4961a165f32e6a42f482%7C0%7C1%7C637777048283299854%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&sdata=1HOGj6V73OYfLTBfJ2Caem0z7C4plffcUyqY%2BSyFYVY%3D&reserved=0 > >> [6] > https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Fapache%2Factivemq%2Fpull%2F662&data=04%7C01%7C%7C13b426eeb5f54c3455ab08d9d6d8a7a0%7C344b7de6efed4961a165f32e6a42f482%7C0%7C1%7C637777048283299854%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&sdata=SdzLA7sNUxMEG30OAxcOIAv3Cqvob%2FJuAldi1zDOCd0%3D&reserved=0 > >> > >>> On Thu, Jan 13, 2022 at 2:09 PM Knöringer, Ralf > >>> <[email protected]> wrote: > >>> > >>> To whom it may concern, > >>> > >>> > >>> > >>> as a intensive user of the Apache technology in our enterprise > >>> architecture and product portfolio I may draw your attention to a > critical > >>> issue. > >>> > >>> Based on the known vulnerability CVE-2021-44228 in the Log4j Version 2 > >>> many of our large enterprise customers (e.g. Volkswagen Financial > Services) > >>> are becoming very sensitive for the risk of using software elements not > >>> under maintenance. > >>> > >>> > >>> > >>> Unfortunately we have this situation with the message broker ActiveMQ > >>> "Classic" (the latest versions 5.15.15 and 5.16.3) as there is an > embedded > >>> use of the Log4j version 1.2.17. > >>> > >>> > >>> > >>> The official statement "the latest versions (i.e. 5.15.15 and 5.16.3) > use > >>> Log4j 1.2.17 which is not impacted by CVE-2021-44228" is not accepted, > as > >>> Log4j 1.2.17 has not been maintained since August 2015. > >>> > >>> (Here an existing security vulnerability, (CVE-2019-17571) is not fixed > >>> with the note "Users are urged to upgrade to Log4j 2".) > >>> > >>> > >>> > >>> This situation will not be accepted by a number of large customers, > which > >>> demand a timely exchange of this component to the officially released > new > >>> Log4j version 2. > >>> > >>> Therefore we ask you kindly to name and communicate an official release > >>> date for ActiveMQ 5.17.0 (including the Log4j version 2). > >>> > >>> > >>> > >>> A timely answer is really appreciated as we think this could mitigate > >>> negative responses and create a positive feedback from the market. > >>> > >>> > >>> > >>> Best regards > >>> > >>> Ralf Knöringer > >>> Senior Manager > >>> Big Data & Cybersecurity - IAM > >>> M: +49 172 5229705 > >>> Otto-Hahn-Ring 6, 81739 Munich - Germany > >>> atos.net< > https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fatos.net%2F&data=04%7C01%7C%7C13b426eeb5f54c3455ab08d9d6d8a7a0%7C344b7de6efed4961a165f32e6a42f482%7C0%7C1%7C637777048283299854%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&sdata=0C8iJ5tVA7067tITv0IprSx7mhbRpYqamSJ0NCDWHgg%3D&reserved=0 > > > >>> > >>> Atos Information Technology GmbH; Geschäftsführung: Udo Littke, Boris > >>> Hecker; Vorsitzender des Aufsichtsrats: N.N.; Sitz der Gesellschaft: > >>> München; Registergericht: Amtsgericht München, HRB 235509 > >>> Atos Information Technology GmbH; Managing Directors: Udo Littke, Boris > >>> Hecker; Chairman of the Supervisory Board: N.N.; Registered office: > Munich; > >>> Commercial register of the local court of Munich, HRB 235509 > >>> Important notice: This e-mail and any attachment thereof contain > corporate > >>> proprietary information. If you have received it by mistake, please > notify > >>> us immediately by reply e-mail and delete this e-mail and its > attachments > >>> from your system. Thank you. > >>> > >>> > > > > > Srinivasa Rao Yadlapalli > Align | www.align.com > Follow Align on Social Media! | LinkedIn< > https://www.linkedin.com/company/162371/> | Twitter< > https://twitter.com/alignitadvisor> | Instagram< > https://www.instagram.com/alignitadvisor/> | > The premier global provider of technology infrastructure solutions > 55 Broad Street, 6th Floor | New York, NY 10004 > Desk +1 212-844-4021 > ________________________________ > > ________________________________ > > > The information contained in this message is confidential and is intended > only for the use of the individual or entity named above. It may contain > proprietary or legally privileged information. Mistransmission shall not > constitute a waiver of any rights or privileges. If you are not the > designated recipient of this message, you are hereby notified that any use, > dissemination, distribution or reproduction of this message is strictly > prohibited. If you have received this message in error, please immediately > notify the sender. Although this e-mail and any attachments are believed to > be free of any virus or other defect that might affect any computer system > into which it is received and opened, it is the responsibility of the > recipient to ensure that they are virus-free. Align Communications Inc. > does not accept, and specifically disclaims, any liability or obligation > for any loss or damage arising in any way from the use of this e-mail or > any attachment. Thank You >
