This is an automated email from the ASF dual-hosted git repository.
git-site-role pushed a commit to branch asf-site
in repository https://gitbox.apache.org/repos/asf/activemq-website.git
The following commit(s) were added to refs/heads/asf-site by this push:
new 5fb2df4c9 Automatic Site Publish by Buildbot
5fb2df4c9 is described below
commit 5fb2df4c9da522914c6a344d7ad40e6debeb544c
Author: buildbot <[email protected]>
AuthorDate: Thu Apr 9 12:54:38 2026 +0000
Automatic Site Publish by Buildbot
---
.../CVE-2025-66168-announcement.txt | 10 ++++++++
.../CVE-2026-39304-announcement.txt | 28 ++++++++++++++++++++++
.../CVE-2026-40046-announcement.txt | 27 +++++++++++++++++++++
3 files changed, 65 insertions(+)
diff --git a/output/security-advisories.data/CVE-2025-66168-announcement.txt
b/output/security-advisories.data/CVE-2025-66168-announcement.txt
index de9d276f3..05c46b919 100644
--- a/output/security-advisories.data/CVE-2025-66168-announcement.txt
+++ b/output/security-advisories.data/CVE-2025-66168-announcement.txt
@@ -1,3 +1,13 @@
+WARNING:
+
+Users of 6.x should upgrade to 6.2.4 or later as the fix was missed in
previous 6.x releases.
+
+See the following for more details:
+https://activemq.apache.org/security-advisories.data/CVE-2026-40046-announcement.txt
+https://www.cve.org/CVERecord?id=CVE-2026-40046
+
+Original CVE report:
+
Affected versions:
- Apache ActiveMQ (org.apache.activemq:apache-activemq) before 5.19.2
diff --git a/output/security-advisories.data/CVE-2026-39304-announcement.txt
b/output/security-advisories.data/CVE-2026-39304-announcement.txt
new file mode 100644
index 000000000..70192f541
--- /dev/null
+++ b/output/security-advisories.data/CVE-2026-39304-announcement.txt
@@ -0,0 +1,28 @@
+Severity: important
+
+Affected versions:
+
+- Apache ActiveMQ Client (org.apache.activemq:activemq-client) before 5.19.4
+- Apache ActiveMQ Client (org.apache.activemq:activemq-client) 6.0.0 before
6.2.4
+- Apache ActiveMQ Broker (org.apache.activemq:activemq-broker) before 5.19.4
+- Apache ActiveMQ Broker (org.apache.activemq:activemq-broker) 6.0.0 before
6.2.4
+- Apache ActiveMQ All (org.apache.activemq:activemq-all) before 5.19.4
+- Apache ActiveMQ All (org.apache.activemq:activemq-all) 6.0.0 before 6.2.4
+- Apache ActiveMQ (org.apache.activemq:apache-activemq) before 5.19.4
+- Apache ActiveMQ (org.apache.activemq:apache-activemq) 6.0.0 before 6.2.4
+
+Description:
+
+Denial of Service via Out of Memory vulnerability in Apache ActiveMQ Client,
Apache ActiveMQ Broker, Apache ActiveMQ.
+
+ActiveMQ NIO SSL transports do not correctly handle TLSv1.3 handshake
KeyUpdates triggered by clients. This makes it possible for a client to rapidly
trigger updates which causes the broker to exhaust all its memory in the SSL
engine leading to DoS.
+
+Note: TLS versions before TLSv1.3 (such as TLSv1.2) are broken but are not
vulnerable to OOM. Previous TLS versions require a full handshake renegotiation
which causes a connection to hang but not OOM. This is fixed as well.
+This issue affects Apache ActiveMQ Client: before 5.19.4, from 6.0.0 before
6.2.4; Apache ActiveMQ Broker: before 5.19.4, from 6.0.0 before 6.2.4; Apache
ActiveMQ: before 5.19.4, from 6.0.0 before 6.2.4.
+
+Users are recommended to upgrade to version 6.2.4 or 5.19.5, which fixes the
issue.
+
+References:
+
+https://activemq.apache.org/
+https://www.cve.org/CVERecord?id=CVE-2026-39304
diff --git a/output/security-advisories.data/CVE-2026-40046-announcement.txt
b/output/security-advisories.data/CVE-2026-40046-announcement.txt
new file mode 100644
index 000000000..a5d889d0f
--- /dev/null
+++ b/output/security-advisories.data/CVE-2026-40046-announcement.txt
@@ -0,0 +1,27 @@
+Severity: moderate
+
+Affected versions:
+
+- Apache ActiveMQ (org.apache.activemq:apache-activemq) 6.0.0 before 6.2.4
+- Apache ActiveMQ All (org.apache.activemq:activemq-all) 6.0.0 before 6.2.4
+- Apache ActiveMQ MQTT (org.apache.activemq:activemq-mqtt) 6.0.0 before 6.2.4
+
+Description:
+
+Integer Overflow or Wraparound vulnerability in Apache ActiveMQ, Apache
ActiveMQ All, Apache ActiveMQ MQTT.
+
+The fix for "CVE-2025-66168: MQTT control packet remaining length field is not
properly validated" was only applied to 5.19.2 (and future 5.19.x) releases but
was missed for all 6.0.0+ versions.
+
+This issue affects Apache ActiveMQ: from 6.0.0 before 6.2.4; Apache ActiveMQ
All: from 6.0.0 before 6.2.4; Apache ActiveMQ MQTT: from 6.0.0 before 6.2.4.
+
+Users are recommended to upgrade to version 6.2.4 or a 5.19.x version starting
with 5.19.2 or later (currently latest is 5.19.5), which fixes the issue.
+
+Credit:
+
+Adrien Bernard (finder)
+
+References:
+
+https://www.cve.org/CVERecord?id=CVE-2025-66168
+https://activemq.apache.org/
+https://www.cve.org/CVERecord?id=CVE-2026-40046
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
For further information, visit: https://activemq.apache.org/contact
